iCompaas Support

Profile Applicability:

• Level 2
  

Description:

The NodeRestriction admission control plugin limits the permissions of kubelets to modify only the resources that they are authorized to manage. It ensures that each kubelet can only modify nodes and node-related resources (such as Pods, ConfigMaps, and Secrets) for its own node, preventing kubelets from making unauthorized modifications to other nodes in the cluster.

Rationale:

By enabling the NodeRestriction plugin, Kubernetes ensures that kubelets are restricted to accessing and modifying only resources related to their own node, thereby minimizing the risk of a compromised kubelet affecting other nodes. This plugin helps enforce the principle of least privilege, increasing the security and integrity of the Kubernetes cluster.

Impact:

Pros:

• Increases security by restricting kubelets to modifying only resources related to their own node.
  

• Reduces the risk of privilege escalation through compromised kubelets.
  

Cons:

• Misconfiguration could prevent legitimate node modifications, affecting node management and operations.
  

Default Value:

Not enabled by default; it should be configured manually to enhance security.

Pre-requisites:

• Kubelets must be properly configured to handle node-related resources in a restricted manner.
  

• The NodeRestriction plugin must be explicitly enabled in the admission control configuration.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Node Group or EKS configuration details.
   

4. Check the --enable-admission-plugins flag and verify that NodeRestriction is listed among the enabled plugins.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that NodeRestriction is included in the --enable-admission-plugins list.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, modify the API server's settings.
   

3. Ensure that the NodeRestriction admission control plugin is enabled.
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

Update the --enable-admission-plugins argument to include NodeRestriction:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-admission-plugins NodeRestriction

Backout Plan:

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. If necessary, remove NodeRestriction from the list of enabled admission control plugins.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --disable-admission-plugins NodeRestriction

References:

• Kubernetes Admission Control Documentation
  EKS Cluster Management