Disabling Admission Control Plugins for Enterprise PKS Clusters
Page last updated:
Topic provided by VMware
This section describes how to disable one or more admission control plugins for Enterprise Pivotal Container Service (Enterprise PKS) clusters. For more information, see Enabling and Using Admission Control Plugins for Enterprise PKS Clusters.
Disabling a Single Admission Control Plugin
To disable a single admission control plugin, do the following:
- Log in to Ops Manager.
- Click the Enterprise PKS tile.
- Select the plan where you configured the admission control plugin, such as Plan 1.
- Deselect the admission control plugin.
- Click Save.
- In the Errands pane, verify that Upgrade all clusters errand is enabled.
- Return to Installation Dashboard and select Review Pending Changes.
- Click Apply Changes.
Alternatively, instead of enabling Upgrade all clusters errand, you can upgrade individual Kubernetes clusters through the PKS Command Line Interface (PKS CLI). For instructions on upgrading individual Kubernetes clusters, see Upgrading Clusters.
Disabling an Orphaned Admission Control Plugin
The Ops Manager UI does not let you deselect (disable) all admission control plugins.
In other words, after an admission control plugin is enabled, the Ops Manager UI requires that at least one admission control plugin checkbox is selected (enabled).
To disable an orphaned Admission control Plugin, complete the following workflow:
- Obtain the FQDN, user name and password of your Ops Manager.
- Authenticate into the Ops Manager API and retrieve a UAA access token to access Ops Manager. For more information, see Using the Ops Manager API.
Obtain the BOSH deployment name for the Enterprise PKS tile by doing one of the following options:
Option 1: Use the Ops Manager API:
In a terminal, run the following command:
curl -i "https://OPS-MAN-FQDN/api/v0/staged/products" -X GET -H "Authorization: Bearer UAA-ACCESS-TOKEN" -kIn the output, locate the
installation_namethat begins withpivotal-container-service.Copy the entire BOSH deployment name, including the unique GUID. For example,
pivotal-container-service-4b48fc5b704d54c6c7de.
Option 2: Use the Ops Manager UI:
- In Ops Manager, click on the Enterprise PKS tile.
Copy the BOSH deployment name including the GUID from the URL:
The deployment name contains “pivotal-container-service” and a unique GUID string. For example,pivotal-container-service-4b48fc5b704d54c6c7de.
To disable the orphaned admission control plugin, run the following Ops Manager API command:
curl -i "https://OPS-MAN-FQDN/api/v0/staged/pivotal-container-service-GUID/properties" \ -H "Authorization: Bearer UAA-ACCESS-TOKEN" \ -X PUT -d '{"properties": {".properties.PLAN-NUMBER_selector.active.admission_plugins":{"value":[]}}}' \ -H "Content-Type: application/json"Where:
OPS-MAN-FQDNis the URL of your Ops Manager.pivotal-container-service-GUIDis the BOSH deployment name of your Enterprise PKS that you retrieved earlier in this procedure.UAA-ACCESS-TOKENis the UAA token you retrieved earlier in this procedure.PLAN-NUMBERis the plan configuration you want to update. For example,plan1orplan2.
For example:
$ curl -i "https://pcf.example.com/api/v0/staged/products/pivotal-container-service-4b48fc5b704d54c6c7de/properties" \ -H "Authorization: Bearer aBcdEfg0hIJKlm123.e" \ -X PUT -d '{"properties": {".properties.plan1_selector.active.admission_plugins":{"value":[]}}}' \ -H "Content-Type: application/json"From the output, verify that the command returns a
HTTP 200status code.Validate your manifest change in the Ops Manager UI. Do the following:
- Log in to Ops Manager.
- Select Review Pending Changes.
- On the Review Pending Changes pane, navigate to the Enterprise PKS section and select SEE CHANGES.
Verify that the admission control plugins are displayed as removed in the Manifest section. For example:
Click Apply Changes.
Please send any feedback you have to pks-feedback@pivotal.io.