Details
Limit the `Node` and `Pod` objects that a kubelet could modify.
Rationale:
Using the `NodeRestriction` plug-in ensures that the kubelet is restricted to the `Node` and `Pod` objects that it could modify as defined. Such kubelets will only be allowed to modify their own `Node` API object, and only modify `Pod` API objects that are bound to their node.
Solution
Follow the Kubernetes documentation and configure `NodeRestriction` plug-in on kubelets. Then, edit the `/etc/kubernetes/apiserver` file on the master node and set the `KUBE_ADMISSION_CONTROL` parameter to `’–admission-control=…,NodeRestriction,…’`: `KUBE_ADMISSION_CONTROL=’–admission-control=…,NodeRestriction,…’`
Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`
Impact:
None
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.