Supported Admission Controllers

The Kubernetes version you select when you create a cluster using Container Engine for Kubernetes determines the default set of admission controllers that are turned on in the created cluster. The set follows the recommendation given in the Kubernetes documentation for that version. This topic shows the supported admission controllers, the Kubernetes versions in which they are supported, and the order in which they run in the Kubernetes API server.

Admission Controllers (sorted alphabetically)

The table lists, in alphabetical order, the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. For each admission controller, the table shows the Kubernetes version in which it is supported.

Admission Controllers (in alphabetical order) Supported in 1.18? Supported in 1.19? Supported in 1.20?
DefaultIngressClass Yes Yes Yes
DefaultStorageClass Yes Yes Yes
DefaultTolerationSeconds Yes Yes Yes
ExtendedResourceToleration Yes Yes Yes
LimitRanger Yes Yes Yes
MutatingAdmissionWebhook Yes Yes Yes
NamespaceLifecycle Yes Yes Yes
NodeRestriction Yes Yes Yes
PersistentVolumeClaimResize No No No
PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) Yes Yes Yes
Priority Yes Yes Yes
ResourceQuota No No No
RuntimeClass Yes Yes Yes
ServiceAccount Yes Yes Yes
StorageObjectInUseProtection Yes Yes Yes
TaintNodesByCondition Yes Yes Yes
ValidatingAdmissionWebhook Yes Yes Yes

Supported Admission Controllers (sorted by run order)

The table lists the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. The table shows the order in which supported admission controllers run in the Kubernetes API server. Note that the run order is different in different Kubernetes versions.

Run order in Kubernetes 1.18 clusters: Run order in Kubernetes 1.19 clusters: Run order in Kubernetes 1.20 clusters:
NamespaceLifecycle NamespaceLifecycle NamespaceLifecycle
LimitRanger LimitRanger LimitRanger
ServiceAccount ServiceAccount ServiceAccount
NodeRestriction NodeRestriction NodeRestriction
TaintNodesByCondition TaintNodesByCondition TaintNodesByCondition
PodSecurityPolicy (optional, see Using Pod Security Policies with Container Engine for Kubernetes) PodSecurityPolicy (optional, see Using Pod Security Policies with Container Engine for Kubernetes) PodSecurityPolicy (optional, see Using Pod Security Policies with Container Engine for Kubernetes)
Priority Priority Priority
DefaultTolerationSeconds DefaultTolerationSeconds DefaultTolerationSeconds
ExtendedResourceToleration ExtendedResourceToleration ExtendedResourceToleration
DefaultStorageClass DefaultStorageClass DefaultStorageClass
StorageObjectInUseProtection StorageObjectInUseProtection StorageObjectInUseProtection
RuntimeClass RuntimeClass RuntimeClass
DefaultIngressClass DefaultIngressClass DefaultIngressClass
MutatingAdmissionWebhook MutatingAdmissionWebhook MutatingAdmissionWebhook
ValidatingAdmissionWebhook ValidatingAdmissionWebhook ValidatingAdmissionWebhook