1.1.11 Ensure that the admission control policy is not set to AlwaysAdmit

Information

Do not allow all requests.

Rationale:

Setting admission control policy to `AlwaysAdmit` allows all requests and do not filter any requests.

Solution

Edit the `/etc/kubernetes/apiserver` file on the master node and set the `KUBE_ADMISSION_CONTROL` parameter to a value that does not include `AlwaysAdmit`. Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

Only requests explicitly allowed by the admissions control policy would be served.

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: c73bb7bb18b51344b428fc2f7ef2a7af5aadc2b69140361edcf4e6bc5165fb77