1.1.32 Ensure that the --authorization-mode argument includes Node

Information

Restrict kubelet nodes to reading only objects associated with them.

Rationale:

The 'Node' authorization mode only allows kubelets to read 'Secret', 'ConfigMap', 'PersistentVolume', and 'PersistentVolumeClaim' objects associated with their nodes.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--authorization-mode' parameter to a value that includes 'Node'.

--authorization-mode=Node,RBAC

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: 067272dd9cb40a712de237a8f9c84b223fa32d72124255809ed92e4a27666495