1.1.10 Ensure that the admission control plugin AlwaysAdmit is not set

Information

Do not allow all requests.

Rationale:

Setting admission control plugin AlwaysAdmit allows all requests and do not filter any requests.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that does not include AlwaysAdmit.

Impact:

Only requests explicitly allowed by the admissions control plugin would be served.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: 837db0af41c3c6da05bc92ccc3150ec50d12a07305a8e64c1aee46a6aa025ead