Ensure the admission control plugin NodeRestriction is set
Error: The admission control plugin NodeRestriction is not set
Bridgecrew Policy ID: BC_K8S_62
Checkov Check ID: CKV_K8S_85
Severity: MEDIUM
The admission control plugin NodeRestriction is not set
Description
Limit the Node and Pod objects that a kubelet could modify.
Using the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.
Fix - Buildtime
Kubernetes
- Kind: Pod
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
+ - kube-apiserver
+ - --enable-admission-plugins=NodeRestriction
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
...
Updated 6 months ago