1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Information

Do not always authorize all requests.

Rationale:

The API Server, by default, allows all requests. You should restrict this behavior to only allow the authorization modes that you explicitly use in your environment. For example, if you don't use REST APIs in your environment, it is a good security best practice to switch off that capability.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--authorization-mode' parameter to values other than 'AlwaysAllow'. One such example could be as below.

--authorization-mode=RBAC

Impact:

Only authorized requests will be served.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|9.1

Plugin: Unix

Control ID: 848d8d662f6287d2f25e8242a100860da16ff29e0c7b585011045373144d32aa