1.2.7 Ensure that the --authorization-mode argument includes Node

Information

Restrict kubelet nodes to reading only objects associated with them.

Rationale:

The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.

Impact:

None

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to a value that includes Node.

--authorization-mode=Node,RBAC

Default Value:

By default, Node authorization is not enabled.

See Also

https://workbench.cisecurity.org/files/3892

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|9.2

Plugin: Unix

Control ID: 6f078583b702b1c735692a76d3f258623de582d127fc9511bc4c8ef07ea08b45