1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set - Overrides

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Do not allow all requests.

Rationale:

Setting admission control plugin AlwaysAdmit allows all requests and does not filter any requests.

The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.

Impact:

Only requests explicitly allowed by the admissions control plugins would be served.

Solution

No remediation is required. The AlwaysAdmit admission controller cannot be enabled in OpenShift.

Default Value:

This AlwaysAdmit controller is disabled by default in OpenShift and cannot be enabled.

See Also

https://workbench.cisecurity.org/files/3980