Property
Languageterraform
Severitylow

Description#

The Kubernetes API server is not configured to use the AlwaysPullImages admission control plugin, which means it may run container images from local cache instead of always fetching the latest image from the registry. This can allow outdated or unauthorized images to be used in the cluster.

Impact#

Attackers could exploit this by running tampered or outdated images that persist on nodes, bypassing image updates or security patches. This increases the risk of running vulnerable or malicious code and undermines efforts to enforce image provenance and security controls.

Resolution#

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the –enable-admission-plugins parameter to include AlwaysPullImages.