This is a cache of https://docs.openshift.com/aro/3/architecture/additional_concepts/admission_controllers.html. It is a snapshot of the page at 2024-11-25T21:02:15.702+0000.
Admission Controllers - Additional Concepts | Architecture | Azure Red Hat OpenShift 3
×

Important

Azure Red Hat OpenShift 3.11 will be retired 30 June 2022. Support for creation of new Azure Red Hat OpenShift 3.11 clusters continues through 30 November 2020. Following retirement, remaining Azure Red Hat OpenShift 3.11 clusters will be shut down to prevent security vulnerabilities.

Follow this guide to create an Azure Red Hat OpenShift 4 cluster. If you have specific questions, please contact us


Overview

Admission control plug-ins intercept requests to the master API prior to persistence of a resource, but after the request is authenticated and authorized.

Each admission control plug-in is run in sequence before a request is accepted into the cluster. If any plug-in in the sequence rejects the request, the entire request is rejected immediately, and an error is returned to the end-user.

Admission control plug-ins may modify the incoming object in some cases to apply system configured defaults. In addition, admission control plug-ins may modify related resources as part of request processing to do things such as incrementing quota usage.

The Azure Red Hat OpenShift master has a list of plug-ins that are enabled by default for each type of resource (Kubernetes and Azure Red Hat OpenShift). These are required for the proper functioning of the master. Future versions of the product might use a different set of plug-ins and might change their ordering. The default list of plug-ins is immutable.

General Admission Rules

Azure Red Hat OpenShift uses a single admission chain for Kubernetes and Azure Red Hat OpenShift resources. This means that the top-level admissionConfig.pluginConfig element can now contain the admission plug-in configuration, which used to be contained in kubernetesmasterConfig.admissionConfig.pluginConfig.

The kubernetesmasterConfig.admissionConfig.pluginConfig should be moved and merged into admissionConfig.pluginConfig.

All the supported admission plug-ins are ordered in the single chain for you. You do not set admissionConfig.pluginOrderOverride or the kubernetesmasterConfig.admissionConfig.pluginOrderOverride. Instead, enable plug-ins that are off by default by either adding their plug-in-specific configuration, or adding a DefaultAdmissionConfig stanza like this:

admissionConfig:
  pluginConfig:
    AlwaysPullImages: (1)
      configuration:
        kind: DefaultAdmissionConfig
        apiVersion: v1
        disable: false (2)
1 Admission plug-in name.
2 Indicates that a plug-in should be enabled. It is optional and shown here only for reference.

Setting disable to true will disable an admission plug-in that defaults to on.

Admission plug-ins are commonly used to help enforce security on the API server. Be careful when disabling them.

If you were previously using admissionConfig elements that cannot be safely combined into a single admission chain, you will get a warning in your API server logs and your API server will start with two separate admission chains for legacy compatibility. Update your admissionConfig to resolve the warning.