Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1.2.14 Ensure that the admission control plugin NamespaceLifecycle is set #28

Open
scfast opened this issue Apr 30, 2023 · 0 comments
Open
Labels
Level 1 Level 1 hardness

Comments

@scfast
Copy link

scfast commented Apr 30, 2023

Profile Applicability:
• Level 1 - Master Node

Description:
Reject creating objects in a namespace that is undergoing termination.

Rationale:
Setting admission control policy to NamespaceLifecycle ensures that objects cannot be
created in non-existent namespaces, and that namespaces undergoing termination are
not used for creating the new objects. This is recommended to enforce the integrity of
the namespace termination process and also for the availability of the newer objects.

Impact:
None

Audit:
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --disable-admission-plugins argument is set to a value that does not
include NamespaceLifecycle.

Default Value:
By default, NamespaceLifecycle is set.

References:

  1. https://kubernetes.io/docs/admin/kube-apiserver/
  2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle
@scfast scfast added the Level 1 Level 1 hardness label Apr 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Level 1 Level 1 hardness
Projects
None yet
Development

No branches or pull requests

1 participant