Admission controllers

Admission controllers

Admission controllers are plugins that govern and enforce how the cluster is used. There are two types of admission controllers used, Default and Custom.


  • NamespaceLifecycle

  • LimitRanger

  • ServiceAccount

  • PersistentVolumeLabel

  • DefaultStorageClass

  • DefaultTolerationSeconds

  • NodeRestriction

  • ResourceQuota

  • PodNodeSelector

  • PodSecurityPolicy

  • MutatingAdmissionWebhook

  • ValidatingAdmissionWebhook


  • UCPAuthorization:

    • Annotates Docker Compose-on-Kubernetes Stack resources with the identity of the user performing the request so that the Docker Compose-on-Kubernetes resource controller can manage Stacks with correct user authorization.

    • Detects when ServiceAccount resources are deleted so that they can be correctly removed from MKE’s Node scheduling authorization backend.

    • Simplifies creation of RoleBindings and ClusterRoleBindings resources by automatically converting user, organization, and team Subject names into their corresponding unique identifiers.

    • Prevents users from deleting the built-in cluster-admin ClusterRole or ClusterRoleBinding resources.

    • Prevents under-privileged users from creating or updating PersistintVolume resources with host paths.

    • Works in conjunction with the built-in PodSecurityPolicies admission controller to prevent under-privileged users from creating Pods with privileged options.

  • CheckImageSigning: Enforces MKE’s Docker Content Trust policy which, if enabled, requires that all pods use container images which have been digitally signed by trusted and authorized users which are members of one or more teams in MKE.

  • UCPNodeSelector: Adds a com.docker.ucp.orchestrator.kubernetes:* toleration to pods in the kube-system namespace and removes com.docker.ucp.orchestrator.kubernetes tolerations from pods in other namespaces. This ensures that user workloads do not run on swarm-only nodes, which MKE taints with com.docker.ucp.orchestrator.kubernetes:NoExecute. It also adds a node affinity to prevent pods from running on manager nodes depending on MKE’s settings.


Custom admission controllers cannot be enabled or disabled by the user.