C-0122 - Ensure that the admission control plugin AlwaysAdmit is not set

Framework

cis-v1.23-t1.0.1

Severity

High

Description of the the issue

Setting admission control plugin AlwaysAdmit allows all requests and do not filter any requests.

The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.

Related resources

Pod

What does this control test

Do not allow all requests.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that if the --enable-admission-plugins argument is set, its value does not include AlwaysAdmit.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.

Impact Statement

Only requests explicitly allowed by the admissions control plugins would be served.

Default Value

AlwaysAdmit is not in the list of default admission plugins.

Example

No example