Detections
Analytics

Ensure that the admission control plugin NodeRestriction is set

MEDIUM

Description

Description:

Limit the 'Node' and 'Pod' objects that a kubelet could modify.

Rationale:

Using the 'NodeRestriction' plug-in ensures that the kubelet is restricted to the 'Node' and 'Pod' objects that it could modify as defined. Such kubelets will only be allowed to modify their own 'Node' API object, and only modify 'Pod' API objects that are bound to their node.

Remediation

Follow the Kubernetes documentation and configure 'NodeRestriction' plug-in on kubelets. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--enable-admission-plugins' parameter to a value that includes 'NodeRestriction'.

--enable-admission-plugins=...,NodeRestriction,...
.

Policy Details

Rule Reference ID: AC_K8S_0026
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks