Disabling Admission Control Plugins for Enterprise PKS Clusters

Page last updated:

Warning: Pivotal Container Service (PKS) v1.5 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy.
To stay up to date with the latest software and security updates, upgrade to a supported version.

Topic provided by VMware

This section describes how to disable one or more admission control plugins for Enterprise Pivotal Container Service (Enterprise PKS) clusters. For more information, see Enabling and Using Admission Control Plugins for Enterprise PKS Clusters.

Disabling a Single Admission Control Plugin

To disable a single admission control plugin, do the following:

1. Log in to Ops Manager.
2. Click the Enterprise PKS tile.
3. Select the plan where you configured the admission control plugin, such as Plan 1.
4. Deselect the admission control plugin.
5. Click Save.
6. In the Errands pane, verify that Upgrade all clusters errand is enabled.
7. Return to Installation Dashboard and select Review Pending Changes.
8. Click Apply Changes.

Alternatively, instead of enabling Upgrade all clusters errand, you can upgrade individual Kubernetes clusters through the PKS Command Line Interface (PKS CLI). For instructions on upgrading individual Kubernetes clusters, see Upgrading Clusters.

Disabling an Orphaned Admission Control Plugin

The Ops Manager UI does not let you deselect (disable) all admission control plugins.

In other words, after an admission control plugin is enabled, the Ops Manager UI requires that at least one admission control plugin checkbox is selected (enabled).

To disable an orphaned Admission control Plugin, complete the following workflow:

1. Obtain the FQDN, user name and password of your Ops Manager.
2. Authenticate into the Ops Manager API and retrieve a UAA access token to access Ops Manager. For more information, see Using the Ops Manager API.

3. Obtain the BOSH deployment name for the Enterprise PKS tile by doing one of the following options:

   1. Option 1: Use the Ops Manager API:

      1. In a terminal, run the following command:

         curl -i "https://OPS-MAN-FQDN/api/v0/staged/products" -X GET -H "Authorization: Bearer UAA-ACCESS-TOKEN" -k
         

      2. In the output, locate the installation_name that begins with pivotal-container-service.

      3. Copy the entire BOSH deployment name, including the unique GUID. For example, pivotal-container-service-4b48fc5b704d54c6c7de.

   2. Option 2: Use the Ops Manager UI:

      1. In Ops Manager, click on the Enterprise PKS tile.

      2. Copy the BOSH deployment name including the GUID from the URL:

         
         
         The deployment name contains “pivotal-container-service” and a unique GUID string. For example, pivotal-container-service-4b48fc5b704d54c6c7de.

4. To disable the orphaned admission control plugin, run the following Ops Manager API command:

    curl -i "https://OPS-MAN-FQDN/api/v0/staged/pivotal-container-service-GUID/properties" \
    -H "Authorization: Bearer UAA-ACCESS-TOKEN" \
    -X PUT -d '{"properties": {".properties.PLAN-NUMBER_selector.active.admission_plugins":{"value":[]}}}' \
    -H "Content-Type: application/json"
   

   Where:

   • OPS-MAN-FQDN is the URL of your Ops Manager.
   • pivotal-container-service-GUID is the BOSH deployment name of your Enterprise PKS that you retrieved earlier in this procedure.
   • UAA-ACCESS-TOKEN is the UAA token you retrieved earlier in this procedure.
   • PLAN-NUMBER is the plan configuration you want to update. For example, plan1 or plan2.

   For example:

    $ curl -i "https://pcf.example.com/api/v0/staged/products/pivotal-container-service-4b48fc5b704d54c6c7de/properties" \
    -H "Authorization: Bearer aBcdEfg0hIJKlm123.e" \
    -X PUT -d '{"properties": {".properties.plan1_selector.active.admission_plugins":{"value":[]}}}' \
    -H "Content-Type: application/json"
   

5. From the output, verify that the command returns a HTTP 200 status code.

6. Validate your manifest change in the Ops Manager UI. Do the following:

   1. Log in to Ops Manager.
   2. Select Review Pending Changes.
   3. On the Review Pending Changes pane, navigate to the Enterprise PKS section and select SEE CHANGES.

   4. Verify that the admission control plugins are displayed as removed in the Manifest section. For example:

      

7. Click Apply Changes.