Admission controllers enabled
Description
Key admission controllers enabled: PodSecurity, NodeRestriction, RBAC, ResourceQuota.
⚠️ Risk Impact
Disabled admission controllers leave policy gaps. Default-installed K8s may have legacy controllers enabled; modern controllers may be missing.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Verify kube-apiserver --enable-admission-plugins includes: PodSecurity, NodeRestriction, ResourceQuota, ServiceAccount, LimitRanger.
💀 Real-World Attack Scenario
A self-managed cluster had ServiceAccount admission disabled. Pods could specify arbitrary service accounts including system: prefixed ones — elevation path.
💰 Cost of Non-Compliance
Missing admission controls: enables privilege-escalation attacks.
📋 Audit Questions
- 1.Which admission controllers enabled?
- 2.PodSecurity enabled?
- 3.NodeRestriction?
- 4.ResourceQuota?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Legacy clusters with outdated controller list
- ⛔ResourceQuota disabled to avoid 'limits'
- ⛔PodSecurity deprecation transition incomplete
📈 Business Value
Admission controllers enforce policy at deployment.
⏱️ Effort Estimate
Audit per cluster
EchelonGraph monitors enabled admission plugins
Automate CIS Kubernetes 5.7.4 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →