Enable more default admission plugins

services/apiserver.go

@@ -16,6 +16,7 @@ import (
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
+	"k8s.io/apiserver/pkg/admission/plugin/resourcequota"
 	"k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/mutating"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/validating"
@@ -51,6 +52,10 @@ import (
 	"k8s.io/kubernetes/pkg/kubeapiserver/options"
 	"k8s.io/kubernetes/pkg/kubelet/client"
 	"k8s.io/kubernetes/pkg/serviceaccount"
+	"k8s.io/kubernetes/plugin/pkg/admission/nodetaint"
+	"k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity"
+	saplugin "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
+	"k8s.io/kubernetes/plugin/pkg/admission/storage/persistentvolume/resize"
 )
 
 const audience = "https://kubernetes.default.svc.cluster.local"
@@ -191,9 +196,36 @@ func buildConfig(c *Cluster) (config *server.Config, clients *Clients, err error
 		err = fmt.Errorf("could not get admission plugins: %w", err)
 		return
 	}
+
+	// Some default plugins are not enabled here:
+	// limitranger, since we do not support LimitRange
+	// setdefault, since we do not support default storage class
+	// defaulttolrationseconds, as we do not use this feature
+	// storageobjectinuseprotection, as we do not use this feature
+	// podpriority, as we do not use this feature
+	// runtimeclass, as we do not use this feature
+	// defaultingressclass, as we do not use this feature
 	plugins := admission.NewPlugins()
-	pluginsNames := []string{lifecycle.PluginName, mutating.PluginName, validatingadmissionpolicy.PluginName, validating.PluginName}
-	server.RegisterAllAdmissionPlugins(plugins)
+	lifecycle.Register(plugins)
+	mutating.Register(plugins)
+	validatingadmissionpolicy.Register(plugins)
+	validating.Register(plugins)
+	resize.Register(plugins)
+	resourcequota.Register(plugins)
+	nodetaint.Register(plugins)
+	podsecurity.Register(plugins)
+	saplugin.Register(plugins)
+	pluginsNames := []string{
+		lifecycle.PluginName,
+		mutating.PluginName,
+		validatingadmissionpolicy.PluginName,
+		validating.PluginName,
+		resize.PluginName,
+		resourcequota.PluginName,
+		nodetaint.PluginName,
+		podsecurity.PluginName,
+		saplugin.PluginName,
+	}
 	pluginsConfig, _ := admission.ReadAdmissionConfiguration(pluginsNames, "", nil) // Never fails without config file
 	genericInitializer := initializer.New(clients.Client, clients.DynClient, clients.Informer, config.Authorization.Authorizer, feature.DefaultFeatureGate, config.DrainedNotify())
 	initializersChain := admission.PluginInitializers{genericInitializer}