From 08f75af4fa8f94edcf366b02c93e09b38bd8bcf4 Mon Sep 17 00:00:00 2001 From: Dawn W Docker Date: Mon, 15 Jul 2019 12:50:17 -0700 Subject: [PATCH] updating topic with details from jlhawn --- .../admin/configure/admission-controllers.md | 32 +++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/ee/ucp/admin/configure/admission-controllers.md b/ee/ucp/admin/configure/admission-controllers.md index 247d5313a5..bc78412334 100644 --- a/ee/ucp/admin/configure/admission-controllers.md +++ b/ee/ucp/admin/configure/admission-controllers.md @@ -20,9 +20,35 @@ This is the current list of admission controllers used by Docker: - [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) ### Custom -- UCPAuthorization -- CheckImageSigning -- UCPNodeSelector +- **UCPAuthorization** +This custom admission controller does several things: + - Annotates Docker Compose-on-Kubernetes `Stack` resources with the identity +of the user performing the request so that the Docker Compose-on-Kubernetes +resource controller can manage `Stacks` with correct user authorization. + - Detects when `ServiceAccount` resources are deleted so that they can be +correctly removed from UCP's Node scheduling authorization backend. + - Simplifies creation of `RoleBindings` and `ClusterRoleBindings` resources by +automatically converting user, organization, and team Subject names into +their corresponding unique identifiers. + - Prevents users from deleting the builtin `cluster-admin` `ClusterRole` or +`ClusterRoleBinding` resources. + - Prevents under-privileged users from creating or updating `PersistintVolume` +resources with host paths. + - Works in conjunction with the builtin `PodSecurityPolicies` admission +controller to prevent under-privileged users from creating `Pods` with +privileged options. +- **CheckImageSigning** +Enforces UCP's Docker Content Trust policy which, if enabled, requires that all +Pods use container images which have been digitally signed by trusted and +authorized users which are members of one or more teams in UCP. +- **UCPNodeSelector** +Adds a `com.docker.ucp.orchestrator.kubernetes:*` toleration to pods in the +kube-system namespace and removes `com.docker.ucp.orchestrator.kubernetes` +tolerations from pods in other namespaces. This ensures that user workloads do +not run on swarm-only nodes, which UCP taints with +`com.docker.ucp.orchestrator.kubernetes:NoExecute`. It also adds a node +affinity to prevent pods from running on manager nodes depending on UCP's +settings. **Note:** you cannot enable or disable your own admission controllers. For more information about why, see [Supportability of custom kubernetes flags in universal control plane](https://success.docker.com/article/supportability-of-custom-kubernetes-flags-in-universal-control-plane)