Ensure that the admission control plugin AlwaysAdmit is not set
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is configured with the ‘AlwaysAdmit’ admission control plugin enabled, which automatically allows all API requests without validation. This bypasses important security checks and access controls.
Impact#
If exploited, any request—including potentially malicious or unauthorized changes—would be accepted by the API server, exposing the cluster to privilege escalation, resource abuse, and loss of control over Kubernetes workloads.
Resolution#
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and either remove the –enable-admission- plugins parameter, or set it to a value that does not include AlwaysAdmit.