Property
Language
Severity

Description

The Kubernetes admin configuration file (/etc/kubernetes/admin.conf) is not owned by root:root, allowing unauthorized users to potentially access or modify sensitive cluster credentials. This misconfiguration weakens the security of the Kubernetes control plane.

Impact

If exploited, unauthorized users could gain administrative access to the Kubernetes cluster, enabling them to control workloads, access secrets, or disrupt services, potentially resulting in a full cluster compromise.

Resolution

Change the admin config file /etc/kubernetes/admin.conf ownership to root:root

Property
Language
Severity

Description

Ensure that the admin config file has permissions of 600 or more restrictive.

Resolution

Change the admin config file /etc/kubernetes/admin.conf permissions of 600 or more restrictive

Property
Language
Severity

Description

The Kubernetes API server is configured with the ‘AlwaysAdmit’ admission control plugin enabled, which automatically allows all API requests without validation. This bypasses important security checks and access controls.

Impact

If exploited, any request—including potentially malicious or unauthorized changes—would be accepted by the API server, exposing the cluster to privilege escalation, resource abuse, and loss of control over Kubernetes workloads.

Resolution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and either remove the –enable-admission- plugins parameter, or set it to a value that does not include AlwaysAdmit.

Property
Language
Severity

Description

The Kubernetes API server is not configured to use the AlwaysPullImages admission control plugin, which means it may run container images from local cache instead of always fetching the latest image from the registry. This can allow outdated or unauthorized images to be used in the cluster.

Impact

Attackers could exploit this by running tampered or outdated images that persist on nodes, bypassing image updates or security patches. This increases the risk of running vulnerable or malicious code and undermines efforts to enforce image provenance and security controls.

Property
Language
Severity

Description

The Kubernetes API server is not configured with the EventRateLimit admission control plugin, meaning it lacks controls to limit the rate of incoming API requests. This omission leaves the API server susceptible to excessive or abusive request traffic.

Impact

Without request rate limiting, attackers or misconfigured clients could overwhelm the API server with a high volume of requests, potentially leading to degraded performance, denial of service, or unavailability of Kubernetes cluster management operations.

Property
Language
Severity

Description

The Kubernetes API server is configured to disable the NamespaceLifecycle admission control plugin, allowing creation of resources in namespaces that are in the process of termination. This bypasses a safeguard intended to prevent operations in unstable or deleting namespaces.

Impact

Without the NamespaceLifecycle plugin, resources can be created in terminating namespaces, leading to inconsistent cluster state, potential resource leaks, and operational issues. Attackers or misconfigurations could exploit this to disrupt workloads or interfere with namespace cleanup processes.

Property
Language
Severity

Description

The Kubernetes API server is not configured with the NodeRestriction admission control plugin, allowing kubelets to make unauthorized modifications to Node and Pod objects. This weakens access controls on node and pod changes within the cluster.

Impact

Without NodeRestriction, compromised or malicious kubelets could escalate privileges by modifying Node or Pod objects they should not control, potentially leading to cluster takeover, lateral movement, or disruption of workloads.

Property
Language
Severity

Description

The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster.

Resolution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the –enable-admission-plugins parameter to include SecurityContextDeny, unless PodSecurityPolicy is already in place.

Property
Language
Severity

Description

The Kubernetes API server is configured with the ServiceAccount admission control plugin disabled, preventing automated management of service accounts. This misconfiguration removes important controls for service account creation and association with pods.

Impact

Disabling the ServiceAccount plugin can lead to insecure and inconsistent service account usage, making it easier for workloads to run with default or overly privileged credentials. This increases the risk of privilege escalation, unauthorized access, and potential lateral movement within the cluster.

Property
Language
Severity

Description

Ensure that the API server pod specification file ownership is set to root:root.

Resolution

Change the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml ownership to root:root