Profile applicability: Level 1 - Master Node
Do not allow all requests.
Setting admission control plugin
AlwaysAdmit
allows all requests and do not
filter any requests. The AlwaysAdmit
admission controller was deprecated in
Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.
NoteAlwaysAdmit is not in the list of default admission plugins. |
Impact
Only requests explicitly allowed by the admissions control plugins would be served.
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that if the
--enable-admission-plugins
argument is set, its value does
not include AlwaysAdmit
.Remediation
Edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml
on the Control Plane node and
either remove the --enable-admission-plugins
parameter, or set it to a value
that does not include AlwaysAdmit
.