Skip to main content



In the API can be enabled with the flag "--admission-control=...". 

By default (1.18) the following plugins are enabled:

NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota.


It is recommended to use the following plugins at least:

- PodSecurityPolicy

- NameSpaceExists

- AlwaysPullImages

- ResourceQuota


Not possible at all in Azure!

Included in the following risks