1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Information

Do not always authorize all requests.

Rationale:

The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Impact:

Only authorized requests will be served.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below.

--authorization-mode=RBAC

Default Value:

By default, AlwaysAllow is not enabled.

See Also

https://workbench.cisecurity.org/files/4111

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|9.2

Plugin: Unix

Control ID: 2dc919e43f62c54931c2544f20d58ca10370064d0b93a05115aa7dc83e3e9104