Ensure that the admission control plugin NamespaceLifecycle is set
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is configured to disable the NamespaceLifecycle admission control plugin, allowing creation of resources in namespaces that are in the process of termination. This bypasses a safeguard intended to prevent operations in unstable or deleting namespaces.
Impact#
Without the NamespaceLifecycle plugin, resources can be created in terminating namespaces, leading to inconsistent cluster state, potential resource leaks, and operational issues. Attackers or misconfigurations could exploit this to disrupt workloads or interfere with namespace cleanup processes.
Resolution#
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the –disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.