C-0122 - Ensure that the admission control plugin AlwaysAdmit is not set
Description of the the issue
Setting admission control plugin
AlwaysAdmit allows all requests and do not filter any requests.
AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.
What does this control test
Do not allow all requests.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that if the
--enable-admission-plugins argument is set, its value does not include
Edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and either remove the
--enable-admission-plugins parameter, or set it to a value that does not include
Only requests explicitly allowed by the admissions control plugins would be served.
AlwaysAdmit is not in the list of default admission plugins.
Updated 8 days ago