Profile applicability: Level 2 - Master Node
Limit the
Node and Pod objects that a kubelet could
modify.Using the
NodeRestriction plug-in ensures that the kubelet is restricted to
the Node and Pod objects that it could modify as defined. Such
kubelets will only be allowed to modify their own Node API object, and only
modify Pod API objects that are bound to their node. |
NoteBy default,
NodeRestriction is not set. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--enable-admission-plugins argument is set to a value that
includes NodeRestriction.Remediation
Follow the Kubernetes documentation and configure
NodeRestriction plug-in on
kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
--enable-admission-plugins parameter to a value that includes
NodeRestriction.--enable-admission-plugins=...,NodeRestriction,...