Information
Restrict kubelet nodes to reading only objects associated with them.
Rationale:
The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.
Solution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
Impact:
None
Default Value:
By default, Node authorization is not enabled.
References:
https://kubernetes.io/docs/admin/kube-apiserver/
https://kubernetes.io/docs/admin/authorization/node/
https://github.com/kubernetes/kubernetes/pull/46076
https://acotten.com/post/kube17-security