Ensure that the admission control plugin AlwaysAdmit is not set

MEDIUM

Description

Description:

Do not allow all requests.

Rationale:

Setting admission control plugin 'AlwaysAdmit' allows all requests and do not filter any requests.

The 'AlwaysAdmit' admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.

Only requests explicitly allowed by the admissions control plugins would be served.

Remediation

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and either remove the '--enable-admission-plugins' parameter, or set it to a value that does not include 'AlwaysAdmit'.

Policy Details

Rule Reference ID: AC_K8S_0047

CSP: Kubernetes

Remediation Available: No

Domain: Compliance Validation

Resource: kubernetes_pod

Resource Category: Compute

Resource Type: Pod

Frameworks

NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.4.0 Level 1
GDPR
HIPAA
NIST-800-171
NIST-800-53
CIS Kubernetes v1.6.1 Level 1 - Master Node

Detections

Analytics