mirror of https://github.com/docker/docs.git
3.5 KiB
3.5 KiB
| title | description | keywords |
|---|---|---|
| Admission controllers | Learn about how admission controllers are used in docker. | cluster, psp, security |
This is the current list of admission controllers used by Docker:
Default
- NamespaceLifecycle
- LimitRanger
- ServiceAccount
- PersistentVolumeLabel
- DefaultStorageClass
- DefaultTolerationSeconds
- NodeRestriction
- ResourceQuota
- PodNodeSelector
- PodSecurityPolicy
Custom
- UCPAuthorization
This custom admission controller does several things:
- Annotates Docker Compose-on-Kubernetes
Stackresources with the identity of the user performing the request so that the Docker Compose-on-Kubernetes resource controller can manageStackswith correct user authorization. - Detects when
ServiceAccountresources are deleted so that they can be correctly removed from UCP's Node scheduling authorization backend. - Simplifies creation of
RoleBindingsandClusterRoleBindingsresources by automatically converting user, organization, and team Subject names into their corresponding unique identifiers. - Prevents users from deleting the built-in
cluster-adminClusterRoleorClusterRoleBindingresources. - Prevents under-privileged users from creating or updating
PersistintVolumeresources with host paths. - Works in conjunction with the built-in
PodSecurityPoliciesadmission controller to prevent under-privileged users from creatingPodswith privileged options.
- Annotates Docker Compose-on-Kubernetes
- CheckImageSigning Enforces UCP's Docker Content Trust policy which, if enabled, requires that all pods use container images which have been digitally signed by trusted and authorized users which are members of one or more teams in UCP.
- UCPNodeSelector
Adds a
com.docker.ucp.orchestrator.kubernetes:*toleration to pods in the kube-system namespace and removescom.docker.ucp.orchestrator.kubernetestolerations from pods in other namespaces. This ensures that user workloads do not run on swarm-only nodes, which UCP taints withcom.docker.ucp.orchestrator.kubernetes:NoExecute. It also adds a node affinity to prevent pods from running on manager nodes depending on UCP's settings.
Note: you cannot enable or disable your own admission controllers. For more information, see Supportability of custom kubernetes flags in universal control plane
For more information about pod security policies in Docker, see Pod security policies.