1.1.33 Ensure that the admission control plugin NodeRestriction is set

Information

Limit the 'Node' and 'Pod' objects that a kubelet could modify.

Rationale:

Using the 'NodeRestriction' plug-in ensures that the kubelet is restricted to the 'Node' and 'Pod' objects that it could modify as defined. Such kubelets will only be allowed to modify their own 'Node' API object, and only modify 'Pod' API objects that are bound to their node.

Solution

Follow the Kubernetes documentation and configure 'NodeRestriction' plug-in on kubelets. Then, edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--enable-admission-plugins' parameter to a value that includes 'NodeRestriction'.

--enable-admission-plugins=...,NodeRestriction,...

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14

Plugin: Unix

Control ID: e434b90403cf728f17bfdc0a64c55cef45f77c49d7f57f34e40dd92eb88a14ff