Admission controllers

This topic applies to Docker Enterprise.

The Docker Enterprise platform business, including products, customers, and employees, has been acquired by Mirantis, inc., effective 13-November-2019. For more information on the acquisition and how it may affect you and your business, refer to the Docker Enterprise Customer FAQ.

Admission controllers are plugins that govern and enforce how the cluster is used. There are two types of admission controllers used, Default and Custom.

Default

• NamespaceLifecycle
• LimitRanger
• ServiceAccount
• PersistentVolumeLabel
• DefaultStorageClass
• DefaultTolerationSeconds
• NodeRestriction
• ResourceQuota
• PodNodeSelector
• PodSecurityPolicy

Custom

• UCPAuthorization:
  • Annotates Docker Compose-on-Kubernetes Stack resources with the identity of the user performing the request so that the Docker Compose-on-Kubernetes resource controller can manage Stacks with correct user authorization.
  • Detects when ServiceAccount resources are deleted so that they can be correctly removed from UCP’s Node scheduling authorization backend.
  • Simplifies creation of RoleBindings and ClusterRoleBindings resources by automatically converting user, organization, and team Subject names into their corresponding unique identifiers.
  • Prevents users from deleting the built-in cluster-admin ClusterRole or ClusterRoleBinding resources.
  • Prevents under-privileged users from creating or updating PersistintVolume resources with host paths.
  • Works in conjunction with the built-in PodSecurityPolicies admission controller to prevent under-privileged users from creating Pods with privileged options.
• CheckImageSigning: Enforces UCP’s Docker Content Trust policy which, if enabled, requires that all pods use container images which have been digitally signed by trusted and authorized users which are members of one or more teams in UCP.
• UCPNodeSelector: Adds a com.docker.ucp.orchestrator.kubernetes:* toleration to pods in the kube-system namespace and removes com.docker.ucp.orchestrator.kubernetes tolerations from pods in other namespaces. This ensures that user workloads do not run on swarm-only nodes, which UCP taints with com.docker.ucp.orchestrator.kubernetes:NoExecute. It also adds a node affinity to prevent pods from running on manager nodes depending on UCP’s settings.

Note

Custom admission controllers cannot be enabled or disabled by the user. For more information, see Supportability of custom Kubernetes flags in universal control plane.

Where to go next

• Pod security policies
• A Guide to Kubernetes Admission Controllers