Starting in
3.3,
OpenShift Container Platform uses a single admission chain for Kubernetes and OpenShift Container Platform
resources. This changed from
3.2,
and before where we had separate admission chains. This means that the top-level
admissionConfig.pluginConfig
element can now contain the admission plug-in
configuration, which used to be contained in
kubernetesMasterConfig.admissionConfig.pluginConfig
.
The kubernetesMasterConfig.admissionConfig.pluginConfig
should be moved and
merged into admissionConfig.pluginConfig
.
Also, starting in
3.3,
all the supported admission plug-ins are ordered in the single chain for you.
You should no longer set admissionConfig.pluginOrderOverride
or the
kubernetesMasterConfig.admissionConfig.pluginOrderOverride
. Instead, you
should enable plug-ins that are off by default by either adding their
plug-in-specific configuration, or adding a DefaultAdmissionConfig
stanza
like this:
admissionConfig:
pluginConfig:
AlwaysPullImages: (1)
configuration:
kind: DefaultAdmissionConfig
apiVersion: v1
disable: false (2)
1 |
Admission plug-in name. |
2 |
Indicates that a plug-in should be enabled. It is optional and shown here only for reference. |
Setting disable
to true will disable an admission plug-in that defaults to on.
|
Admission plug-ins are commonly used to help enforce security on the API server.
Be careful when disabling them.
|
|
If you were previously using admissionConfig elements that cannot be safely
combined into a single admission chain, you will get a warning in your API
server logs and your API server will start with two separate admission chains
for legacy compatibility. Update your admissionConfig to resolve the
warning.
|