C-0127 - Ensure that the admission control plugin NodeRestriction is set
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
Using the NodeRestriction
plug-in ensures that the kubelet is restricted to the Node
and Pod
objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node
API object, and only modify Pod
API objects that are bound to their node.
Related resources
Pod
What does this control test
Limit the Node
and Pod
objects that a kubelet could modify.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --enable-admission-plugins
argument is set to a value that includes NodeRestriction
.
Remediation
Follow the Kubernetes documentation and configure NodeRestriction
plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the --enable-admission-plugins
parameter to a value that includes NodeRestriction
.
--enable-admission-plugins=...,NodeRestriction,...
Impact Statement
None
Default Value
By default, NodeRestriction
is not set.
Example
No example
Updated 11 days ago