Ensure the admission control plugin NodeRestriction is set
Error: The admission control plugin NodeRestriction is not set
Bridgecrew Policy ID: BC_K8S_62
Checkov Check ID: CKV_K8S_85
Severity: MEDIUM
The admission control plugin NodeRestriction is not set
Description
Limit the Node
and Pod
objects that a kubelet could modify.
Using the NodeRestriction
plug-in ensures that the kubelet is restricted to the Node
and Pod
objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node
API object, and only modify Pod
API objects that are bound to their node.
Fix - Buildtime
Kubernetes
- Kind: Pod
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --enable-admission-plugins=NodeRestriction
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
...
Updated 10 months ago