This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 71%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Why isn't the noderestriction admission controller implemented on AKS?
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction
We can see this is not enabled on AKS in the docs here:
https://learn.microsoft.com/en-us/azure/aks/faq#what-kubernetes-admission-controllers-does-aks-support-can-admission-controllers-be-added-or-removed
And we can see that other managed Kubernetes implementations have it enabled:
https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html
What is the Microsoft AKS's team rationale for not implementing it? Why does the team believe it is not an issue?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 98%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Thanks for sharing your feedback. I am reaching out to the internal team to get confirmation on this feature request.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 59%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
This is much needed. Latest report from PaloAlto PrismaCloud team ranks AKS as one of the worst platform when it comes to lateral movements in a cluster and privilege escalation.
Thanks for your valuable feedback. I have submitted this feedback as a feature request to the Product team. Currently, we do not have a roadmap to share on this feature request. I will track this feedback item and share here as I see an update on it. Thanks.
Thanks for raising awareness. Did you get an answer on the rationale for not implementing it and any mitigations for the lack of this admission controller? Does the AKS product team share the wider opinion that it is an essential security feature?
I have reached out to the engineering team. It may take some time but I will share the reply here as soon as I receive an update on this. Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hi, any update on this?