Ensure the admission control plugin AlwaysAdmit is not set

Error: The admission control plugin AlwaysAdmit is set

Bridgecrew Policy ID: BC_K8S_56
Checkov Check ID: CKV_K8S_79
Severity: MEDIUM

The admission control plugin AlwaysAdmit is set

Description

Do not allow all requests. Setting admission control plugin AlwaysAdmit allows all requests and do not filter any requests.
The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver-passed
  namespace: kube-system
spec:
  containers:
    - command:
        - kube-apiserver
        - --enable-admission-plugins=other
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      livenessProbe:
        failureThreshold: 8
        httpGet:
          host: 127.0.0.1
          path: /healthz
          port: 6443
          scheme: HTTPS
        initialDelaySeconds: 15
        timeoutSeconds: 15
      name: kube-apiserver
      resources:
        requests:
          cpu: 250m
      volumeMounts:
        - mountPath: /etc/kubernetes/
          name: k8s
          readOnly: true
        - mountPath: /etc/ssl/certs
          name: certs
        - mountPath: /etc/pki
          name: pki
  hostNetwork: true
  volumes:
    - hostPath:
        path: /etc/kubernetes
      name: k8s
    - hostPath:
        path: /etc/ssl/certs
      name: certs
    - hostPath:
        path: /etc/pki
      name: pki