TF 0156 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the admission control plugin AlwaysPullImages is set
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is not configured to use the AlwaysPullImages admission control plugin, which means it may run container images from local cache instead of always fetching the latest image from the registry. This can allow outdated or unauthorized images to be used in the cluster.
Impact
Attackers could exploit this by running tampered or outdated images that persist on nodes, bypassing image updates or security patches. This increases the risk of running vulnerable or malicious code and undermines efforts to enforce image provenance and security controls.
Resolution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --enable-admission-plugins parameter to include AlwaysPullImages.