External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-03-27 05:45:05 -02:30
Code Issues Packages Projects Releases Wiki Activity

Add ResourceQuota plugin configuration (#11814)

Browse Source 
This enables [configuration](https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default) of the [ResourceQuota AdmissionController plugin](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota). The configuration file will be empty by default when no limitedResources are set.
This commit is contained in:
Chad Swenson
2024-12-19 11:12:09 -06:00
committed by GitHub
parent bf70335493
commit 2fbf4806ed
3 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
roles/kubernetes/control-plane/defaults/main/main.yml
View File

@@ -107,6 +107,7 @@ kube_apiserver_admission_control_config_file: false
# cache_size: <cache_size_value> # cache_size: <cache_size_value>
kube_apiserver_admission_event_rate_limits: {} kube_apiserver_admission_event_rate_limits: {}
## PodSecurityAdmission plugin configuration
kube_pod_security_use_default: false kube_pod_security_use_default: false
kube_pod_security_default_enforce: baseline kube_pod_security_default_enforce: baseline
kube_pod_security_default_enforce_version: "{{ kube_major_version }}" kube_pod_security_default_enforce_version: "{{ kube_major_version }}"
@@ -119,6 +120,16 @@ kube_pod_security_exemptions_runtime_class_names: []
kube_pod_security_exemptions_namespaces: kube_pod_security_exemptions_namespaces:
- kube-system - kube-system
## ResourceQuota plugin configuration
## Resources that ResourceQuota should limit by default if no quota exists
## Example below enforces quota on all storage classes
# kube_resource_quota_limited_resources:
# - apiGroup: ""
# resource: persistentvolumeclaims
# matchContains:
# - .storageclass.storage.k8s.io/requests.storage
kube_resource_quota_limited_resources: []
# 1.10+ list of disabled admission plugins # 1.10+ list of disabled admission plugins
kube_apiserver_disable_admission_plugins: [] kube_apiserver_disable_admission_plugins: []

8
roles/kubernetes/control-plane/templates/resourcequota.yaml.j2 Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: apiserver.config.k8s.io/v1
kind: ResourceQuotaConfiguration
{% if kube_resource_quota_limited_resources | d(false) -%}
limitedResources:
{{ kube_resource_quota_limited_resources | to_nice_yaml(indent=2, sort_keys=false) }}
{% else %}
# No limitedResources configured. If limitedResources are required, please set kube_resource_quota_limited_resources.
{%- endif %}

1
roles/kubernetes/control-plane/vars/main.yaml
View File

@@ -6,3 +6,4 @@ kube_apiserver_admission_plugins_needs_configuration:
- ImagePolicyWebhook - ImagePolicyWebhook
- PodSecurity - PodSecurity
- PodNodeSelector - PodNodeSelector
- ResourceQuota