4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Information

Do not allow all requests. Enable explicit authorization.

Rationale:

Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.

Impact:

Unauthorized requests will be denied.

Solution

If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.

--authorization-mode=Webhook

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Default Value:

By default, --authorization-mode argument is set to AlwaysAllow.

See Also

https://workbench.cisecurity.org/files/4111

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|9.2

Plugin: Unix

Control ID: 85bbdaa7d3333caf50c952670116fb2ca9e3e5a9fedddb280de539f9cb862068