1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Do not always authorize all requests.

Rationale:

The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Impact:

Only authorized requests will be served.

Solution

None. RBAC is always on and the OpenShift API server does not use the values assigned to the flag authorization-mode.

Default Value:

OpenShift uses RBAC by default.

See Also

https://workbench.cisecurity.org/files/4260