Namespace lifecycle admission control plugin disabled
This product is not supported for your selected
Datadog site. (
).
Id: 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37
Cloud Provider: k8s
Platform: Kubernetes
Severity: Low
Category: Build Process
Learn More
Description
When running kube-apiserver, the --disable-admission-plugins flag should not include the NamespaceLifecycle plugin. Disabling the NamespaceLifecycle admission plugin can bypass namespace lifecycle checks and may lead to orphaned resources or unexpected behavior across namespaces. This rule identifies kube-apiserver containers and flags any --disable-admission-plugins setting that contains NamespaceLifecycle.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--enable-admission-plugins=NamespaceLifecycle", "--admission-control-config-file=path/to/plugin/config/file.yaml"]
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: []
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver","--disable-admission-plugins=NamespaceLifecycle"]
args: []
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--disable-admission-plugins=NamespaceLifecycle"]
restartPolicy: OnFailure
