Admission controllers are plugins that govern and enforce how the cluster is used. There are two types of admission controllers used, Default and Custom.
Stack resources with
the identity of the user performing the request so that the Docker
Compose-on-Kubernetes resource controller can manage Stacks
with correct user authorization.ServiceAccount resources are deleted so that they
can be correctly removed from MKE’s Node scheduling authorization
backend.RoleBindings and
ClusterRoleBindings resources by automatically converting
user, organization, and team Subject names into their
corresponding unique identifiers.cluster-admin
ClusterRole or ClusterRoleBinding resources.PersistintVolume resources with host paths.PodSecurityPolicies
admission controller to prevent under-privileged users from
creating Pods with privileged options.com.docker.ucp.orchestrator.kubernetes:* toleration to pods in
the kube-system namespace and removes
com.docker.ucp.orchestrator.kubernetes tolerations from pods in
other namespaces. This ensures that user workloads do not run on
swarm-only nodes, which MKE taints with
com.docker.ucp.orchestrator.kubernetes:NoExecute. It also adds a
node affinity to prevent pods from running on manager nodes depending
on MKE’s settings.Note
Custom admission controllers cannot be enabled or disabled by the user.