HomeGitHubSign Up

C-0127 - Ensure that the admission control plugin NodeRestriction is set

Suggest Edits

Framework

cis-v1.23-t1.0.1

Severity

Medium

Description of the the issue

Using the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.

Related resources

Pod

What does this control test

Limit the Node and Pod objects that a kubelet could modify.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the --enable-admission-plugins argument is set to a value that includes NodeRestriction.

Remediation

Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction.

--enable-admission-plugins=...,NodeRestriction,...

Impact Statement

None

Default Value

By default, NodeRestriction is not set.

Example

No example

Updated about 1 month ago