1.1.32 Ensure that the --authorization-mode argument is set to Node

Information

Restrict kubelet nodes to reading only objects associated with them.

Rationale:

The `Node` authorization mode only allows kubelets to read `Secret`, `ConfigMap`, `PersistentVolume`, and `PersistentVolumeClaim` objects associated with their nodes.

Solution

Edit the `/etc/kubernetes/apiserver` file on the master node and set the `KUBE_API_ARGS` parameter to a value to include `--authorization-mode=Node`. One such example could be as below: `KUBE_API_ARGS='--authorization-mode=Node,RBAC'`

Based on your system, restart the `kube-apiserver` service. For example: `systemctl restart kube-apiserver.service`

Impact:

None

See Also

https://workbench.cisecurity.org/files/1738

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|9.1

Plugin: Unix

Control ID: dec187194d5ba10536e5dc892e46463d31149c521f3a6debc68cc6dbed142d55