Best practices

K8S API server configuration without AlwaysPullImages admissions control plugin

Risk Level

Informational (4)

Platform(s)
  • N/A

Compliance Frameworks

Description

It was found that the API server configuration admission control plugins parameter does not include 'AlwaysPullImages'. An admission controller is a code which being executed after the request authentication and authorization in order to validate it or change it. This admission controller forces any new pod to pull its image it won't be able to execute images that it doesn't have permissions to pull.
  • Recommended Mitigation

    It is recommended to include the AlwaysPullImages plugin in the '--enable-admission-plugins' parameter.