Views:
Profile applicability: Level 1 - Master Node
Do not allow all requests.
Setting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.
Note
Note
AlwaysAdmit is not in the list of default admission plugins.

Impact

Only requests explicitly allowed by the admissions control plugins would be served.

Audit

Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that if the --enable-admission-plugins argument is set, its value does not include AlwaysAdmit.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.