Ensure the admission control plugin NodeRestriction is set

Error: The admission control plugin NodeRestriction is not set

Bridgecrew Policy ID: BC_K8S_62
Checkov Check ID: CKV_K8S_85
Severity: MEDIUM

The admission control plugin NodeRestriction is not set

Description

Limit the Node and Pod objects that a kubelet could modify.
Using the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --enable-admission-plugins=NodeRestriction
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...