Supported Admission Controllers

The Kubernetes version you select when you create a cluster using Container Engine for Kubernetes determines the default set of admission controllers that are turned on in the created cluster. The set follows the recommendation given in the Kubernetes documentation for that version. This topic shows the supported admission controllers, the order in which they run in the Kubernetes API server, and the Kubernetes versions in which they are supported.

Supported Admission Controllers (sorted by Kubernetes version and run order)

The table lists the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. For each Kubernetes version, the table shows the supported admission controllers and the order in which they run in the Kubernetes API server.

Supported in Kubernetes 1.14 clusters Supported in Kubernetes 1.15 clusters Supported in Kubernetes 1.16 clusters
NamespaceLifecycle NamespaceLifecycle NamespaceLifecycle
LimitRanger LimitRanger LimitRanger
ServiceAccount ServiceAccount ServiceAccount
TaintNodesByCondition TaintNodesByCondition TaintNodesByCondition
Priority Priority Priority
DefaultTolerationSeconds DefaultTolerationSeconds DefaultTolerationSeconds
DefaultStorageClass DefaultStorageClass DefaultStorageClass
PersistentVolumeClaimResize PersistentVolumeClaimResize StorageObjectInUseProtection
MutatingAdmissionWebhook MutatingAdmissionWebhook PersistentVolumeClaimResize
ValidatingAdmissionWebhook ValidatingAdmissionWebhook MutatingAdmissionWebhook
ResourceQuota ResourceQuota ValidatingAdmissionWebhook
NodeRestriction StorageObjectInUseProtection RuntimeClass
PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) NodeRestriction ResourceQuota
  PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) NodeRestriction
  PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes)

Admission Controllers (sorted alphabetically)

The table lists, in alphabetical order, the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. For each admission controller, the table shows the Kubernetes version in which it is supported.

Admission Controllers (in alphabetical order) Supported in 1.14? Supported in 1.15? Supported in 1.16?
DefaultStorageClass Yes Yes Yes
DefaultTolerationSeconds Yes Yes Yes
LimitRanger Yes Yes Yes
MutatingAdmissionWebhook Yes Yes Yes
NamespaceLifecycle Yes Yes Yes
NodeRestriction Yes Yes Yes
PersistentVolumeClaimResize Yes Yes Yes
PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) Yes Yes Yes
Priority Yes Yes Yes
ResourceQuota Yes Yes Yes
RuntimeClass No No Yes
ServiceAccount Yes Yes Yes
StorageObjectInUseProtection No Yes Yes
TaintNodesByCondition Yes Yes Yes
ValidatingAdmissionWebhook Yes Yes Yes