Admission controllers are plugins that govern and enforce how the cluster is used. There are two types of admission controllers used, Default and Custom.
Stack
resources with
the identity of the user performing the request so that the Docker
Compose-on-Kubernetes resource controller can manage Stacks
with correct user authorization.ServiceAccount
resources are deleted so that they
can be correctly removed from MKE’s Node scheduling authorization
backend.RoleBindings
and
ClusterRoleBindings
resources by automatically converting
user, organization, and team Subject names into their
corresponding unique identifiers.cluster-admin
ClusterRole
or ClusterRoleBinding
resources.PersistintVolume
resources with host paths.PodSecurityPolicies
admission controller to prevent under-privileged users from
creating Pods
with privileged options.com.docker.ucp.orchestrator.kubernetes:*
toleration to pods in
the kube-system namespace and removes
com.docker.ucp.orchestrator.kubernetes
tolerations from pods in
other namespaces. This ensures that user workloads do not run on
swarm-only nodes, which MKE taints with
com.docker.ucp.orchestrator.kubernetes:NoExecute
. It also adds a
node affinity to prevent pods from running on manager nodes depending
on MKE’s settings.Note
Custom admission controllers cannot be enabled or disabled by the user.