mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-03 11:45:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

avoid the ValidatingAdmissionPolicy admission plugin when it can't work

Browse Source
This commit is contained in:
Ryan Richard
2024-04-25 15:22:32 -07:00
parent 51b1dbd2af
commit 9838a7cb6d
6 changed files with 374 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/supervisor/server/server.go
View File

@@ -43,6 +43,7 @@ import (
"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
supervisorinformers "go.pinniped.dev/generated/latest/client/supervisor/informers/externalversions"
supervisoropenapi "go.pinniped.dev/generated/latest/client/supervisor/openapi"
"go.pinniped.dev/internal/admissionpluginconfig"
"go.pinniped.dev/internal/apiserviceref"
"go.pinniped.dev/internal/config/featuregates"
"go.pinniped.dev/internal/config/supervisor"
@@ -622,6 +623,11 @@ func getAggregatedAPIServerConfig(
// This port is configurable. It should be safe to cast because the config reader already validated it.
recommendedOptions.SecureServing.BindPort = int(aggregatedAPIServerPort)
err := admissionpluginconfig.ConfigureAdmissionPlugins(recommendedOptions)
if err != nil {
return nil, fmt.Errorf("failed to configure admission plugins on recommended options: %w", err)
}
// secure TLS for connections coming from and going to the Kube API server
// this is best effort because not all options provide the right hooks to override TLS config
// since our only client is the Kube API server, this uses the most secure TLS config