Ensure that the –authorization-mode argument is not set to AlwaysAllow

Details

Do not always authorize all requests.

Rationale:

The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Impact:

Only authorized requests will be served.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the –authorization-mode parameter to values other than AlwaysAllow. One such example could be as below.

–authorization-mode=RBAC

Default Value:

By default, AlwaysAllow is not enabled.

Supportive Information

The following resource is also helpful.

https://workbench.cisecurity.org/files/3371

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-6
CSCv6|9.1
CSCv7|9.2

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles