Skip to main content

Securing Kubernetes Admission Controllers

Required knowledge for the CKS certification.

Admission controllers in Kubernetes play a crucial role in validating and mutating requests before they are persisted in the cluster. Misconfigurations in admission controllers can allow attackers to bypass security policies, deploy unauthorized workloads, and escalate privileges.

1. Use Validating and Mutating Admission Controllers Wisely

Issue: Some admission controllers allow automatic modifications that may introduce security risks.
Fix: Only enable necessary Validating and Mutating Webhooks and audit their changes.

Secure Webhook Admission Control

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: restrict-host-paths
webhooks:
  - name: restrict-host-paths.k8s.io
    rules:
      - apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
        operations: ["CREATE"]
    clientConfig:
      service:
        name: admission-controller
        namespace: kube-system
        path: "/validate"
    admissionReviewVersions: ["v1"]
    failurePolicy: "Fail"

Why It Matters

  • Ensures that security policies are enforced before workloads are created.
  • Prevents insecure configurations from being automatically modified.

2. Restrict Admission Controller Webhook Access

Issue: An attacker can modify admission controller webhooks to bypass security policies.
Fix: Use RBAC to limit access to webhook configurations.

Secure Webhook RBAC Policy

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: kube-system
  name: webhook-admin
rules:
  - apiGroups: ["admissionregistration.k8s.io"]
    resources:
      ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
    verbs: ["get", "list"]

Why It Matters

  • Prevents unauthorized modifications to security-critical components.
  • Limits who can change admission controller behavior.

3. Set FailurePolicy to "Fail" for Critical Webhooks

Issue: If a webhook fails to respond, Kubernetes may allow requests by default.
Fix: Use failurePolicy: Fail to block unauthorized actions when an admission controller is unavailable.

Secure Webhook Failure Policy

failurePolicy: "Fail"

Why It Matters

  • Prevents attackers from bypassing security checks by disrupting webhooks.
  • Ensures workloads are properly validated before being deployed.

4. Monitor Admission Controller Logs and Audit Changes

Issue: Unauthorized changes to admission controllers may go undetected.
Fix: Enable audit logging for admission controller events.

Enable Audit Logs

--audit-log-path=/var/log/kubernetes/audit.log
--audit-policy-file=/etc/kubernetes/audit-policy.yaml

Why It Matters

  • Detects suspicious modifications to admission controller policies.
  • Provides visibility into rejected or modified API requests.

Conclusion

Securing Kubernetes Admission Controllers is critical for enforcing security policies, preventing unauthorized workloads, and protecting cluster integrity. By restricting webhook access, enforcing failure policies, enabling audit logs, and carefully configuring admission controllers, you can significantly reduce attack surfaces.

Last updated on by Itai Ganot