docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update admission-controllers.md

This commit is contained in:
Dawn W 2019-07-16 08:42:59 -07:00 committed by GitHub
parent 08f75af4fa
commit 52b85594a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ee/ucp/admin/configure/admission-controllers.md
View File

@ -30,16 +30,16 @@ correctly removed from UCP's Node scheduling authorization backend.
- Simplifies creation of `RoleBindings` and `ClusterRoleBindings` resources by - Simplifies creation of `RoleBindings` and `ClusterRoleBindings` resources by
automatically converting user, organization, and team Subject names into automatically converting user, organization, and team Subject names into
their corresponding unique identifiers. their corresponding unique identifiers.
- Prevents users from deleting the builtin `cluster-admin` `ClusterRole` or - Prevents users from deleting the built-in `cluster-admin` `ClusterRole` or
`ClusterRoleBinding` resources. `ClusterRoleBinding` resources.
- Prevents under-privileged users from creating or updating `PersistintVolume` - Prevents under-privileged users from creating or updating `PersistintVolume`
resources with host paths. resources with host paths.
- Works in conjunction with the builtin `PodSecurityPolicies` admission - Works in conjunction with the built-in `PodSecurityPolicies` admission
controller to prevent under-privileged users from creating `Pods` with controller to prevent under-privileged users from creating `Pods` with
privileged options. privileged options.
- **CheckImageSigning** - **CheckImageSigning**
Enforces UCP's Docker Content Trust policy which, if enabled, requires that all Enforces UCP's Docker Content Trust policy which, if enabled, requires that all
Pods use container images which have been digitally signed by trusted and pods use container images which have been digitally signed by trusted and
authorized users which are members of one or more teams in UCP. authorized users which are members of one or more teams in UCP.
- **UCPNodeSelector** - **UCPNodeSelector**
Adds a `com.docker.ucp.orchestrator.kubernetes:*` toleration to pods in the Adds a `com.docker.ucp.orchestrator.kubernetes:*` toleration to pods in the
@ -50,6 +50,6 @@ not run on swarm-only nodes, which UCP taints with
affinity to prevent pods from running on manager nodes depending on UCP's affinity to prevent pods from running on manager nodes depending on UCP's
settings. settings.
**Note:** you cannot enable or disable your own admission controllers. For more information about why, see [Supportability of custom kubernetes flags in universal control plane](https://success.docker.com/article/supportability-of-custom-kubernetes-flags-in-universal-control-plane) **Note:** you cannot enable or disable your own admission controllers. For more information, see [Supportability of custom kubernetes flags in universal control plane](https://success.docker.com/article/supportability-of-custom-kubernetes-flags-in-universal-control-plane)
For more information about pod security policies in Docker, see [Pod security policies](/ee/ucp/kubernetes/pod-security-policies.md). For more information about pod security policies in Docker, see [Pod security policies](/ee/ucp/kubernetes/pod-security-policies.md).