Ensure that the admission control plugin NodeRestriction is set
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is not configured with the NodeRestriction admission control plugin, allowing kubelets to make unauthorized modifications to Node and Pod objects. This weakens access controls on node and pod changes within the cluster.
Impact#
Without NodeRestriction, compromised or malicious kubelets could escalate privileges by modifying Node or Pod objects they should not control, potentially leading to cluster takeover, lateral movement, or disruption of workloads.
Resolution#
Follow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the –enable-admission-plugins parameter to a value that includes NodeRestriction.