1.1.33 Ensure that the admission control policy is set to NodeRestriction

Information

Limit the `Node` and `Pod` objects that a kubelet could modify.

Rationale:

Using the `NodeRestriction` plug-in ensures that the kubelet is restricted to the `Node` and `Pod` objects that it could modify as defined. Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.

Solution

Follow the Kubernetes documentation and configure `NodeRestriction` plug-in on kubelets. Then, edit the `/etc/kubernetes/apiserver` file on the master node and set the `KUBE_ADMISSION_CONTROL` parameter to `'--admission-control=...,NodeRestriction,...'`: `KUBE_ADMISSION_CONTROL='--admission-control=...,NodeRestriction,...'`

Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

None

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: d16f0c3db1a3a817c04c9375f2153bad7e48b972b3881a9d0a79b60843828410