C-0127 - Ensure that the admission control plugin NodeRestriction is set
Description of the the issue
NodeRestriction plug-in ensures that the kubelet is restricted to the
Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own
Node API object, and only modify
Pod API objects that are bound to their node.
What does this control test
Pod objects that a kubelet could modify.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--enable-admission-plugins argument is set to a value that includes
Follow the Kubernetes documentation and configure
NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the
--enable-admission-plugins parameter to a value that includes
NodeRestriction is not set.
Updated 8 days ago