Supported Admission Controllers
The Kubernetes version you select when you create a cluster using Container Engine for Kubernetes determines the default set of admission controllers that are turned on in the created cluster. The set follows the recommendation given in the Kubernetes documentation for that version. This topic shows the supported admission controllers, the Kubernetes versions in which they are supported, and the order in which they run in the Kubernetes API server.
Note that if you install other admission controllers in a way that mutates or rejects requests in the kube-system namespace, the Kubernetes control plane components might stop functioning or behave unexpectedly. For more information, see Avoiding operating on the kube-system namespace in the Kubernetes documentation.
Admission Controllers (sorted alphabetically)
The tables list, in alphabetical order, the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. For each admission controller, the tables show the Kubernetes version in which it is supported.
Mutating Admission Controllers (sorted alphabetically)
| Admission Controllers (in alphabetical order) | Supported in 1.23? | Supported in 1.24? | Supported in 1.25? | Supported in 1.26? |
|---|---|---|---|---|
| DefaultIngressClass | Yes | Yes | Yes | Yes |
| DefaultStorageClass | Yes | Yes | Yes | Yes |
| DefaultTolerationSeconds | Yes | Yes | Yes | Yes |
| ExtendedResourceToleration | Yes | Yes | Yes | Yes |
| LimitRanger | Yes | Yes | Yes | Yes |
| MutatingAdmissionWebhook | Yes | Yes | Yes | Yes |
| NamespaceLifecycle | Yes | Yes | Yes | Yes |
| NodeRestriction | Yes | Yes | Yes | Yes |
| PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) | Yes | Yes | No | Yes |
| Priority | Yes | Yes | Yes | Yes |
| RuntimeClass | Yes | Yes | Yes | Yes |
| ServiceAccount | Yes | Yes | Yes | Yes |
| StorageObjectInUseProtection | Yes | Yes | Yes | Yes |
| TaintNodesByCondition | Yes | Yes | Yes | Yes |
Validating Admission Controllers (sorted alphabetically)
| Admission Controllers (in alphabetical order) | Supported in 1.23? | Supported in 1.24? | Supported in 1.25? | Supported in 1.26? |
|---|---|---|---|---|
| CertificateApproval | Yes | Yes | Yes | Yes |
| CertificateSigning | Yes | Yes | Yes | Yes |
| CertificateSubjectRestriction | Yes | Yes | Yes | Yes |
| ImagePolicyWebhook | Yes | Yes | Yes | Yes |
| LimitRanger | Yes | Yes | Yes | Yes |
| PersistentVolumeClaimResize | Yes | Yes | Yes | Yes |
| PodSecurity | Yes | Yes | Yes | Yes |
| PodSecurityPolicy (optional, see Using Pod Security Polices with Container Engine for Kubernetes) | Yes | Yes | No | Yes |
| Priority | Yes | Yes | Yes | Yes |
| ResourceQuota | Yes | Yes | Yes | Yes |
| RuntimeClass | Yes | Yes | Yes | Yes |
| ServiceAccount | Yes | Yes | Yes | Yes |
| ValidatingAdmissionWebhook | Yes | Yes | Yes | Yes |
Admission Controllers (sorted by run order)
The tables list the admission controllers that are turned on in the Kubernetes clusters you create using Container Engine for Kubernetes. The tables show the order in which supported admission controllers run in the Kubernetes API server. Note that the run order can be different in different Kubernetes versions.
Mutating Admission Controllers (sorted by run order)
| Run order in Kubernetes 1.23 clusters: | Run order in Kubernetes 1.24 clusters: | Run order in Kubernetes 1.25 clusters: | Run order in Kubernetes 1.26 clusters: |
|---|---|---|---|
| NamespaceLifecycle | NamespaceLifecycle | NamespaceLifecycle | NamespaceLifecycle |
| LimitRanger | LimitRanger | LimitRanger | LimitRanger |
| ServiceAccount | ServiceAccount | ServiceAccount | ServiceAccount |
| NodeRestriction | NodeRestriction | NodeRestriction | NodeRestriction |
| TaintNodesByCondition | TaintNodesByCondition | TaintNodesByCondition | TaintNodesByCondition |
| PodSecurityPolicy (optional, see Using Pod Security Policies with Container Engine for Kubernetes) | PodSecurityPolicy (optional, see Using Pod Security Policies with Container Engine for Kubernetes) | Priority | Priority |
| Priority | Priority | DefaultTolerationSeconds | DefaultTolerationSeconds |
| DefaultTolerationSeconds | DefaultTolerationSeconds | ExtendedResourceToleration | ExtendedResourceToleration |
| ExtendedResourceToleration | ExtendedResourceToleration | DefaultStorageClass | DefaultStorageClass |
| DefaultStorageClass | DefaultStorageClass | StorageObjectInUseProtection | StorageObjectInUseProtection |
| StorageObjectInUseProtection | StorageObjectInUseProtection | RuntimeClass | RuntimeClass |
| RuntimeClass | RuntimeClass | DefaultIngressClass | DefaultIngressClass |
| DefaultIngressClass | DefaultIngressClass | MutatingAdmissionWebhook | MutatingAdmissionWebhook |
| MutatingAdmissionWebhook | MutatingAdmissionWebhook |
Validating Admission Controllers (sorted by run order)
| Run order in Kubernetes 1.23 clusters: | Run order in Kubernetes 1.24 clusters: | Run order in Kubernetes 1.25 clusters: | Run order in Kubernetes 1.26 clusters: |
|---|---|---|---|
| LimitRanger | LimitRanger | LimitRanger | LimitRanger |
| ServiceAccount | ServiceAccount | ServiceAccount | ServiceAccount |
| ImagePolicyWebhook | ImagePolicyWebhook | ImagePolicyWebhook | ImagePolicyWebhook |
| PodSecurity | PodSecurity | PodSecurity | PodSecurity |
| PodSecurityPolicy (optional, see Using Pod Security Policies with Container Engine for Kubernetes) | PodSecurityPolicy (optional, see Using Pod Security Policies with Container Engine for Kubernetes) | Priority | Priority |
| Priority | Priority | PersistentVolumeClaimResize | PersistentVolumeClaimResize |
| PersistentVolumeClaimResize | PersistentVolumeClaimResize | RuntimeClass | RuntimeClass |
| RuntimeClass | RuntimeClass | CertificateApproval | CertificateApproval |
| CertificateApproval | CertificateApproval | CertificateSigning | CertificateSigning |
| CertificateSigning | CertificateSigning | CertificateSubjectRestriction | CertificateSubjectRestriction |
| CertificateSubjectRestriction | CertificateSubjectRestriction | ValidatingAdmissionWebhook | ValidatingAdmissionWebhook |
| ValidatingAdmissionWebhook | ValidatingAdmissionWebhook | ResourceQuota | ResourceQuota |
| ResourceQuota | ResourceQuota |