启动篇-10 Admission Controller 准入控制

func buildGenericConfig(...)(...){
	...
	s.Admission.ApplyTo()
	...
}

// ApplyTo 添加 admission chain 到 server 配置中  
// Kube-apiserver 只是调用 generic AdmissionOptions.ApplyTo
func (a *AdmissionOptions) ApplyTo(...) error {
	...
	return a.GenericAdmission.ApplyTo(...)
}

// ApplyTo 添加了 admission chain 到 server 配置中
// 如果没有提供 admission 插件名称，那么将从推荐的默认值中准备
// 此外，该方法懒惰地初始化一个通用插件，该插件附加到 pluginInitializers 列表中
// 注意此方法使用：genericconfig.Authorizer
func (a *AdmissionOptions) ApplyTo(
	c *server.Config,
	informers informers.SharedInformerFactory,
	kubeAPIServerClientConfig *rest.Config,
	features featuregate.FeatureGate,
	pluginInitializers ...admission.PluginInitializer,
) error {
	if a == nil {
		return nil
	}

	// Admission depends on CoreAPI to set SharedInformerFactory and ClientConfig.
	if informers == nil {
		return fmt.Errorf("admission depends on a Kubernetes core API shared informer, it cannot be nil")
	}

	// 启动插件名称列表，包括 RecommendedPluginOrder, DefaultOffPlugins, EnablePlugins, DisablePlugins
	pluginNames := a.enabledPluginNames()

	pluginsConfigProvider, err := admission.ReadAdmissionConfiguration(pluginNames, a.ConfigFile, configScheme)
	if err != nil {
		return fmt.Errorf("failed to read plugin config: %v", err)
	}

	clientset, err := kubernetes.NewForConfig(kubeAPIServerClientConfig)
	if err != nil {
		return err
	}
	dynamicClient, err := dynamic.NewForConfig(kubeAPIServerClientConfig)
	if err != nil {
		return err
	}
	genericInitializer := initializer.New(clientset, dynamicClient, informers, c.Authorization.Authorizer, features, c.DrainedNotify())
	initializersChain := admission.PluginInitializers{genericInitializer}
	initializersChain = append(initializersChain, pluginInitializers...)

	admissionChain, err := a.Plugins.NewFromPlugins(pluginNames, pluginsConfigProvider, initializersChain, a.Decorators)
	if err != nil {
		return err
	}

	// 将 admissionChain 添加到 server 配置中
	c.AdmissionControl = admissionmetrics.WithStepMetrics(admissionChain)
	return nil
}```