Admission control plug-ins intercept requests to the master API prior to persistence of a resource, but after the request is authenticated and authorized.
Each admission control plug-in is run in sequence before a request is accepted into the cluster. If any plug-in in the sequence rejects the request, the entire request is rejected immediately, and an error is returned to the end-user.
Admission control plug-ins may modify the incoming object in some cases to apply system configured defaults. In addition, admission control plug-ins may modify related resources as part of request processing to do things such as incrementing quota usage.
The OKD master has a default list of plug-ins that are enabled by default for each type of resource (Kubernetes and OKD). These are required for the proper functioning of the master. Modifying these lists is not recommended unless you strictly know what you are doing. Future versions of the product may use a different set of plug-ins and may change their ordering. If you do override the default list of plug-ins in the master configuration file, you are responsible for updating it to reflect requirements of newer versions of the OKD master.
OKD uses a single admission chain for Kubernetes and OKD resources. This means that the top-level
admissionConfig.pluginConfig element can now contain the admission plug-in configuration, which used to be contained in
kubernetesMasterConfig.admissionConfig.pluginConfig should be moved and merged into
All the supported admission plug-ins are ordered in the single chain for you. You do not set
admissionConfig.pluginOrderOverride or the
kubernetesMasterConfig.admissionConfig.pluginOrderOverride. Instead, enable plug-ins that are off by default by either adding their plug-in-specific configuration, or adding a
DefaultAdmissionConfig stanza like this:
admissionConfig: pluginConfig: AlwaysPullImages: (1) configuration: kind: DefaultAdmissionConfig apiVersion: v1 disable: false (2)
|1||Admission plug-in name.|
|2||Indicates that a plug-in should be enabled. It is optional and shown here only for reference.|
disable to true will disable an admission plug-in that defaults to on.
Admission plug-ins are commonly used to help enforce security on the API server. Be careful when disabling them.
If you were previously using
Cluster administrators can configure some admission control plug-ins to control certain behavior, such as:
Admission controllers using containers also support init containers.