Supported Admission Controllers
The Kubernetes version you select when you create a cluster using Container Engine for Kubernetes determines the default set of admission controllers that are turned on in the created cluster. The set follows the recommendation given in the Kubernetes documentation for that version. This topic shows the supported admission controllers, the Kubernetes versions in which they are supported, and the order in which they run in the Kubernetes API server.
Admission Controllers (sorted alphabetically)
The table lists, in alphabetical order, the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. For each admission controller, the table shows the Kubernetes version in which it is supported.
| Admission Controllers (in alphabetical order) | Supported in 1.16? | Supported in 1.17? | Supported in 1.18? |
|---|---|---|---|
| DefaultIngressClass | No | No | Yes |
| DefaultStorageClass | Yes | Yes | Yes |
| DefaultTolerationSeconds | Yes | Yes | Yes |
| ExtendedResourceToleration | Yes | Yes | Yes |
| LimitRanger | Yes | Yes | Yes |
| MutatingAdmissionWebhook | Yes | Yes | Yes |
| NamespaceLifecycle | Yes | Yes | Yes |
| NodeRestriction | Yes | Yes | Yes |
| PersistentVolumeClaimResize | No | No | No |
| PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) | Yes | Yes | Yes |
| Priority | Yes | Yes | Yes |
| ResourceQuota | No | No | No |
| RuntimeClass | Yes | Yes | Yes |
| ServiceAccount | Yes | Yes | Yes |
| StorageObjectInUseProtection | Yes | Yes | Yes |
| TaintNodesByCondition | Yes | Yes | Yes |
| ValidatingAdmissionWebhook | No | No | No |
Supported Admission Controllers (sorted by run order)
The table lists the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. The table shows the order in which supported admission controllers run in the Kubernetes API server. Note that the run order is different in different Kubernetes versions.
| Run order in Kubernetes 1.16 clusters: | Run order in Kubernetes 1.17 clusters: | Run order in Kubernetes 1.18 clusters: |
|---|---|---|
| NamespaceLifecycle | NamespaceLifecycle | NamespaceLifecycle |
| LimitRanger | LimitRanger | LimitRanger |
| ServiceAccount | ServiceAccount | ServiceAccount |
| NodeRestriction | NodeRestriction | NodeRestriction |
| TaintNodesByCondition | TaintNodesByCondition | TaintNodesByCondition |
| PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) | PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) | PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) |
| Priority | Priority | Priority |
| DefaultTolerationSeconds | DefaultTolerationSeconds | DefaultTolerationSeconds |
| ExtendedResourceToleration | ExtendedResourceToleration | ExtendedResourceToleration |
| DefaultStorageClass | DefaultStorageClass | DefaultStorageClass |
| StorageObjectInUseProtection | StorageObjectInUseProtection | StorageObjectInUseProtection |
| MutatingAdmissionWebhook | MutatingAdmissionWebhook | RuntimeClass |
| RuntimeClass | RuntimeClass | DefaultIngressClass |
| MutatingAdmissionWebhook | ||