1.2.17 Ensure that the admission control plugin NodeRestriction is set

Information

Limit the Node and Pod objects that a kubelet could modify.

Rationale:

Using the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.

Solution

Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction.

--enable-admission-plugins=...,NodeRestriction,...

Impact:

None

Default Value:

By default, NodeRestriction is not set.

References:

https://kubernetes.io/docs/admin/kube-apiserver/

https://kubernetes.io/docs/admin/admission-controllers/#noderestriction

https://kubernetes.io/docs/admin/authorization/node/

https://acotten.com/post/kube17-security

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|14, CSCv7|4

Plugin: Unix

Control ID: b5100a3f965b772a39d00b130edcec3038812d9e75ecbc92fc4d733632ba17e8