The admission control plugin AlwaysAdmit is set

ID

api_server_enable_admission_plugins_always_admit

Severity

low

Vendor

Kubernetes

Resource

kube-apiserver

Tags

reachable

Description

In Kubernetes, an admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.

AlwaysAdmit admission controllers limit requests to create, delete, modify objects. Admission controllers can also block custom verbs, such as a request connect to a Pod via an API server proxy. Admission controllers do not (and cannot) block requests to read (get, watch or list) objects. It was deprecated at Kubernetes v1.13.

This admission controller allows all pods into the cluster. It is deprecated because its behavior is the same as if there were no admission controller at all.

Learn more about this topic at Admission Controllers Reference.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad
spec:
  containers:
  - command:
    - kube-apiserver
    - --enable-admission-plugins=AlwaysAdmit (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: bad-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
yml
1 AlwaysAdmit is the same as if there were no admission controller at all.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kube-apiserver
    - --enable-admission-plugins=other (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: good-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
yml
1 Verify that the --enable-admission-plugins is not set to AlwaysAdmit .