Admission control plug-ins intercept requests to the master API prior to persistence of a resource, but after the request is authenticated and authorized.
Each admission control plug-in is run in sequence before a request is accepted into the cluster. If any plug-in in the sequence rejects the request, the entire request is rejected immediately, and an error is returned to the end-user.
Admission control plug-ins may modify the incoming object in some cases to apply system configured defaults. In addition, admission control plug-ins may modify related resources as part of request processing to do things such as incrementing quota usage.
|
Warning
|
The {product-title} master has a default list of plug-ins that are enabled by default for each type of resource (Kubernetes and {product-title}). These are required for the proper functioning of the master. Modifying these lists is not recommended unless you strictly know what you are doing. Future versions of the product may use a different set of plug-ins and may change their ordering. If you do override the default list of plug-ins in the master configuration file, you are responsible for updating it to reflect requirements of newer versions of the {product-title} master. |
Starting in
{product-title} uses a single admission chain for Kubernetes and {product-title}
resources. This changed from
and before where we had separate admission chains. This means that the top-level
admissionConfig.pluginConfig element can now contain the admission plug-in
configuration, which used to be contained in
kubernetesMasterConfig.admissionConfig.pluginConfig.
The kubernetesMasterConfig.admissionConfig.pluginConfig should be moved and
merged into admissionConfig.pluginConfig.
Also, starting in
all the supported admission plug-ins are ordered in the single chain for you.
You should no longer set admissionConfig.pluginOrderOverride or the
kubernetesMasterConfig.admissionConfig.pluginOrderOverride. Instead, you
should enable plug-ins that are off by default by either adding their
plug-in-specific configuration, or adding a DefaultAdmissionConfig stanza
like this:
admissionConfig:
pluginConfig:
AlwaysPullImages: (1)
configuration:
kind: DefaultAdmissionConfig
apiVersion: v1
disable: false (2)-
Admission plug-in name.
-
Indicates that a plug-in should be enabled. It is optional and shown here only for reference.
Setting disable to true will disable an admission plug-in that defaults to on.
|
Warning
|
Admission plug-ins are commonly used to help enforce security on the API server. Be careful when disabling them. |
|
Note
|
If you were previously using |