API server pod has AlwaysPullImages admission control plugin enabled
apiserver_always_pull_images_plugin
Kubernetes API server admission configuration includes AlwaysPullImages, which mutates new Pods to set imagePullPolicy=Always so container images are fetched from the registry at startup using the pod's credentials.
Risk
Without AlwaysPullImages, nodes can run cached images without a fresh registry pull, bypassing credential checks.
- Unauthorized use of private images (confidentiality)
- Stale or tampered images deployed (integrity)
- Vulnerable images persist, widening attack surface (availability)
prowler kubernetes --checks apiserver_always_pull_images_plugin
Recommendation
Enable AlwaysPullImages on the API server.
Apply defense in depth: restrict pulls to trusted registries, enforce least-privilege image pull secrets, sign and scan images, and prefer immutable digests to prevent drift and ensure verified content.
Remediation
- SSH to a control-plane node
- Edit /etc/kubernetes/manifests/kube-apiserver.yaml
- In spec.containers[0].command or args, ensure the flag includes AlwaysPullImages, e.g.: --enable-admission-plugins=<existing>,AlwaysPullImages
- Save the file; the kubelet will automatically restart the API server with the updated flag
Source Code
Resource Type
Pod
References
- https://cjyabraham.gitlab.io/docs/reference/command-line-tools-reference/kube-apiserver/
- https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers
- https://blog.codefarm.me/2021/12/15/kubernetes-admission-controllers/
- https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages