diff options
| author | Kubernetes Submit Queue <k8s-merge-robot@users.noreply.github.com> | 2017-10-20 09:42:07 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-10-20 09:42:07 -0700 |
| commit | 0fd19f68024904e356daa230a3b6ce192ef3c811 (patch) | |
| tree | b275261b002b0804c106b61580cda84ab9740a2d | |
| parent | c7b3bdf5639fd4772572d7f7bb94e64aec042b25 (diff) | |
| parent | f8a20b9fb079c13915911903a5b0ff96b15d332c (diff) | |
Merge pull request #1243 from liggitt/revert-initializer-namespaces
Automatic merge from submit-queue.
Revert initializer namespace selector change
https://github.com/kubernetes/community/pull/1191 was accidentally merged
| -rw-r--r-- | contributors/design-proposals/api-machinery/dynamic-admission-control-configuration.md | 26 |
1 files changed, 0 insertions, 26 deletions
diff --git a/contributors/design-proposals/api-machinery/dynamic-admission-control-configuration.md b/contributors/design-proposals/api-machinery/dynamic-admission-control-configuration.md index 00b05b17..a7d42caa 100644 --- a/contributors/design-proposals/api-machinery/dynamic-admission-control-configuration.md +++ b/contributors/design-proposals/api-machinery/dynamic-admission-control-configuration.md @@ -24,8 +24,6 @@ default admission controls. This document hashes out the implementation details. * Do not block the entire cluster if the initializers/webhooks are not ready after registration. -* Admin can enforce initializers to specific namespaces. - ## Specification We assume initializers could be "fail open". We need to update the extensible @@ -75,13 +73,6 @@ type Initializer struct { // if the timeout is reached. The default timeout for each initializer is // 5s. FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty"` - - // Selects Namespaces using cluster scoped-labels. This - // matches all pods in all namespaces selected by this label selector. - // This field follows standard label selector semantics. - // If present but empty, this selector selects all namespaces. - // +optional - NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` } // Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended @@ -282,23 +273,6 @@ crashes, so it is rare. See [Considered but REJECTED alternatives](#considered-but-rejected-alternatives) for considered alternatives. -## Enforce initializers to specific namespaces - -Current `InitializerConfiguration` is at the cluster level and all of the to-be-created resources (such as rc and deployments) defined in `Rules` -will be appended with the pending initializers automatically during creation, regardless of the namespace. -There is no way to only apply the initializers to specific namespaces. - -For example, when running a multi-tenant cluster, it'd be quite useful to only apply the rules in just certain namespaces. Sometimes we -don't want to enforce in "kube-*" related namespaces as well. - -With the help of `NamespaceSelector`, we can - -* Apply initializer to ALL namespaces (by default); -* Apply initializer to limited namespaces using label selector; - -Since most users won't add extra labels for namespaces explicitly when creating new resources, the selector matching should only be applied to -`labels.Set(map[string]string{"namespace": namespace})` instead of widely-used `metadata.Labels`. - ## Future work 1. Figuring out a better schema to represent the order among |