kubernetes
diff --git a/‎nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/dedicated-apiserver/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/dedicated-apiserver/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/envvars/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/envvars/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎nodeup/pkg/model/tests/golden/without-etcd-events/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion b/‎nodeup/pkg/model/tests/golden/without-etcd-events/tasks-kube-apiserver.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/model/components/apiserver.go
Lines changed: 7 additions & 7 deletions b/‎pkg/model/components/apiserver.go
Lines changed: 7 additions & 7 deletions
diff --git a/‎tests/integration/update_cluster/additionalobjects/data/aws_launch_template_master-us-test-1a.masters.additionalobjects.example.com_user_data
Lines changed: 1 addition & 1 deletion b/‎tests/integration/update_cluster/additionalobjects/data/aws_launch_template_master-us-test-1a.masters.additionalobjects.example.com_user_data
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/integration/update_cluster/additionalobjects/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/additionalobjects/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/additionalobjects/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/additionalobjects/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/apiservernodes/data/aws_launch_template_apiserver.apiservers.minimal.example.com_user_data
Lines changed: 1 addition & 1 deletion b/‎tests/integration/update_cluster/apiservernodes/data/aws_launch_template_apiserver.apiservers.minimal.example.com_user_data
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/integration/update_cluster/apiservernodes/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
Lines changed: 1 addition & 1 deletion b/‎tests/integration/update_cluster/apiservernodes/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/integration/update_cluster/apiservernodes/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/apiservernodes/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/apiservernodes/data/aws_s3_object_nodeupconfig-apiserver_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/apiservernodes/data/aws_s3_object_nodeupconfig-apiserver_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/apiservernodes/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/apiservernodes/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/aws-lb-controller/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
Lines changed: 1 addition & 1 deletion b/‎tests/integration/update_cluster/aws-lb-controller/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/bastionadditional_user-data/data/aws_launch_template_master-us-test-1a.masters.bastionuserdata.example.com_user_data
Lines changed: 1 addition & 1 deletion b/‎tests/integration/update_cluster/bastionadditional_user-data/data/aws_launch_template_master-us-test-1a.masters.bastionuserdata.example.com_user_data
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/integration/update_cluster/bastionadditional_user-data/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/bastionadditional_user-data/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/bastionadditional_user-data/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/bastionadditional_user-data/data/aws_s3_object_nodeupconfig-master-us-test-1a_content
Lines changed: 6 additions & 4 deletions
diff --git a/‎tests/integration/update_cluster/cluster-autoscaler-priority-expander-custom/data/aws_launch_template_master-us-test-1a.masters.cas-priority-expander-custom.example.com_user_data
Lines changed: 1 addition & 1 deletion b/‎tests/integration/update_cluster/cluster-autoscaler-priority-expander-custom/data/aws_launch_template_master-us-test-1a.masters.cas-priority-expander-custom.example.com_user_data
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/integration/update_cluster/cluster-autoscaler-priority-expander-custom/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions b/‎tests/integration/update_cluster/cluster-autoscaler-priority-expander-custom/data/aws_s3_object_cluster-completed.spec_content
Lines changed: 6 additions & 4 deletions
@@ -34,7 +34,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -48,7 +48,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -24,7 +24,7 @@ contents: |
       - --authorization-mode=AlwaysAllow
       - --bind-address=0.0.0.0
       - --client-ca-file=/srv/kubernetes/ca.crt
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -26,7 +26,7 @@ contents: |
       - --client-ca-file=/srv/kubernetes/ca.crt
       - --cloud-config=/etc/kubernetes/in-tree-cloud.config
       - --cloud-provider=external
-      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --enable-admission-plugins=DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,MutatingAdmissionWebhook,NamespaceLifecycle,NodeRestriction,ResourceQuota,RuntimeClass,ServiceAccount,ValidatingAdmissionPolicy,ValidatingAdmissionWebhook
       - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
       - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
 
@@ -147,21 +147,21 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(cluster *kops.Cluster) error
 		}
 	}
 
-	// TODO: We can probably rewrite these more clearly in descending order
 	// Based on recommendations from:
-	// https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
+	// https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
 	{
 		c.EnableAdmissionPlugins = []string{
-			"NamespaceLifecycle",
-			"LimitRanger",
-			"ServiceAccount",
-			//"PersistentVolumeLabel",
 			"DefaultStorageClass",
 			"DefaultTolerationSeconds",
+			"LimitRanger",
 			"MutatingAdmissionWebhook",
-			"ValidatingAdmissionWebhook",
+			"NamespaceLifecycle",
 			"NodeRestriction",
 			"ResourceQuota",
+			"RuntimeClass",
+			"ServiceAccount",
+			"ValidatingAdmissionPolicy",
+			"ValidatingAdmissionWebhook",
 		}
 		c.EnableAdmissionPlugins = append(c.EnableAdmissionPlugins, c.AppendAdmissionPlugins...)
 	}
 
@@ -130,7 +130,7 @@ ClusterName: additionalobjects.example.com
 ConfigBase: memfs://tests/additionalobjects.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: ControlPlane
-NodeupConfigHash: Fs2hbQ1UTITDVKZyfQgIjd55UiUucLBjwNrWgCrMXT8=
+NodeupConfigHash: 0meC2r1xzntznUBmhrowlZ15R1orWyhfcqnQO/L7fzo=
 
 __EOF_KUBE_ENV
 
 
@@ -71,15 +71,17 @@ spec:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -13,15 +13,17 @@ APIServerConfig:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -130,7 +130,7 @@ ClusterName: minimal.example.com
 ConfigBase: memfs://clusters.example.com/minimal.example.com
 InstanceGroupName: apiserver
 InstanceGroupRole: APIServer
-NodeupConfigHash: DGxbW0XRm7D5zB9YwjGlYU7alrRcRG85ySGSp39Mk1E=
+NodeupConfigHash: AgCyoFYOQwCZEOAgf2qNhCsimY8Uec8L91X/tYvfK/w=
 
 __EOF_KUBE_ENV
 
 
@@ -130,7 +130,7 @@ ClusterName: minimal.example.com
 ConfigBase: memfs://clusters.example.com/minimal.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: ControlPlane
-NodeupConfigHash: oat4TLWZZOwj65R6CKin5eR7GMvLjjtMZK541q480iE=
+NodeupConfigHash: P8AZpsNu0IcynnqI+pa1TYDzCrWTi7Lmiydk+eADVUg=
 
 __EOF_KUBE_ENV
 
 
@@ -64,15 +64,17 @@ spec:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -13,15 +13,17 @@ APIServerConfig:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -13,15 +13,17 @@ APIServerConfig:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -130,7 +130,7 @@ ClusterName: minimal.example.com
 ConfigBase: memfs://clusters.example.com/minimal.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: ControlPlane
-NodeupConfigHash: hwe4qrB8lrpQUByJDxUeDm6WzYWNuE7nQHAfP5g5nQo=
+NodeupConfigHash: kaj//kni7EON1tJan0zbwiVDX7DJH7p7u+F5gzQWU+M=
 
 __EOF_KUBE_ENV
 
 
@@ -69,15 +69,17 @@ spec:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -13,15 +13,17 @@ APIServerConfig:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -130,7 +130,7 @@ ClusterName: bastionuserdata.example.com
 ConfigBase: memfs://clusters.example.com/bastionuserdata.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: ControlPlane
-NodeupConfigHash: /CMrJEa3vry2ndHUBbapU9y1w15UKdldYMHe4/Il0ic=
+NodeupConfigHash: esf5IJa5KiGsVm/r4EJ1yLqsGLtxhDSebXYvFY8+g2c=
 
 __EOF_KUBE_ENV
 
 
@@ -66,15 +66,17 @@ spec:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -12,15 +12,17 @@ APIServerConfig:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
 
@@ -130,7 +130,7 @@ ClusterName: cas-priority-expander-custom.example.com
 ConfigBase: memfs://clusters.example.com/cas-priority-expander-custom.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: ControlPlane
-NodeupConfigHash: lqrSzC/HkARFePSIR7bgPBUBlM3HsZGxpFrTx66sn1k=
+NodeupConfigHash: V9jtpA9K9rCvzZnOmyUyTwnWRstkveohbN39ZDuT8TA=
 
 __EOF_KUBE_ENV
 
 
@@ -88,15 +88,17 @@ spec:
     bindAddress: 0.0.0.0
     cloudProvider: external
     enableAdmissionPlugins:
-    - NamespaceLifecycle
-    - LimitRanger
-    - ServiceAccount
     - DefaultStorageClass
     - DefaultTolerationSeconds
+    - LimitRanger
     - MutatingAdmissionWebhook
-    - ValidatingAdmissionWebhook
+    - NamespaceLifecycle
     - NodeRestriction
     - ResourceQuota
+    - RuntimeClass
+    - ServiceAccount
+    - ValidatingAdmissionPolicy
+    - ValidatingAdmissionWebhook
     etcdServers:
     - https://127.0.0.1:4001
     etcdServersOverrides:
Original file line number	Diff line number	Diff line change
`@@ -147,21 +147,21 @@ func (b KubeAPIServerOptionsBuilder) BuildOptions(cluster kops.Cluster) error`
`147`	`147`	`}`
`148`	`148`	`}`
`149`	`149`
`150`		`- // TODO: We can probably rewrite these more clearly in descending order`
`151`	`150`	`// Based on recommendations from:`
`152`		`- // https://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use`
	`151`	`+ // https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/`
`153`	`152`	`{`
`154`	`153`	`c.EnableAdmissionPlugins = []string{`
`155`		`- "NamespaceLifecycle",`
`156`		`- "LimitRanger",`
`157`		`- "ServiceAccount",`
`158`		`- //"PersistentVolumeLabel",`
`159`	`154`	`"DefaultStorageClass",`
`160`	`155`	`"DefaultTolerationSeconds",`
	`156`	`+ "LimitRanger",`
`161`	`157`	`"MutatingAdmissionWebhook",`
`162`		`- "ValidatingAdmissionWebhook",`
	`158`	`+ "NamespaceLifecycle",`
`163`	`159`	`"NodeRestriction",`
`164`	`160`	`"ResourceQuota",`
	`161`	`+ "RuntimeClass",`
	`162`	`+ "ServiceAccount",`
	`163`	`+ "ValidatingAdmissionPolicy",`
	`164`	`+ "ValidatingAdmissionWebhook",`
`165`	`165`	`}`
`166`	`166`	`c.EnableAdmissionPlugins = append(c.EnableAdmissionPlugins, c.AppendAdmissionPlugins...)`
`167`	`167`	`}`