iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The AlwaysAdmit admission control plugin in Kubernetes allows all API requests to be admitted, bypassing any further validation or enforcement checks. While this can be useful in certain debugging or testing scenarios, it poses a significant security risk in production environments as it does not enforce any control over the requests made to the Kubernetes API.

Disabling AlwaysAdmit is essential to ensure that all requests undergo proper validation and admission control, maintaining the security and integrity of the cluster.

Rationale:

Enabling AlwaysAdmit essentially disables all admission control checks, potentially allowing unauthorized users to perform actions without validation. Disabling this plugin is a crucial step to prevent unrestricted access to the Kubernetes API and ensure proper enforcement of security policies.

Impact:

Pros:

• Ensures that all requests to the Kubernetes API are subjected to necessary validation and control policies.
  

• Prevents unauthorized or potentially malicious API requests from being admitted without checks.
  

Cons:

• Misconfiguration or mismanagement of other admission control plugins may lead to access issues or unexpected denials.
  

Default Value:

Not enabled by default in a secure production environment.

Pre-requisites:

• Admission control must be configured to enforce proper access control and security checks.
  

• The AlwaysAdmit plugin should be removed or disabled in the configuration.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Check the --enable-admission-plugins flag in the cluster's API server configuration.
   

4. Ensure that AlwaysAdmit is not listed as an enabled plugin.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's API server configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Verify that AlwaysAdmit is not listed under --enable-admission-plugins.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, modify the API server's settings.
   

3. Remove AlwaysAdmit from the list of enabled admission control plugins.
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

To disable the AlwaysAdmit plugin, update the API server configuration using the following CLI command:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --disable-admission-plugins AlwaysAdmit

Backout Plan

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. Re-enable AlwaysAdmit if necessary for troubleshooting purposes.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change by re-enabling the AlwaysAdmit plugin:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-admission-plugins AlwaysAdmit

References:

• Kubernetes Admission Control Documentation
  

• EKS Cluster Management