Details

Do not allow all requests. Enable explicit authorization.

Rationale:

Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.

Impact:

Unauthorized requests will be denied.

Solution

If using a Kubelet config file, edit the file to set authorization: mode to Webhook.
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS variable.

–authorization-mode=Webhook

Based on your system, restart the kubelet service. For example:

systemctl daemon-reload
systemctl restart kubelet.service

Default Value:

By default, –authorization-mode argument is set to AlwaysAllow.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3371https://workbench.cisecurity.org/files/3371https://workbench.cisecurity.org/files/3371

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-6
• 800-53|AC-6.
• CSCv6|14
• CSCv7|9.2

Source

• Tenable.com/audits