Guides
  1. kubernetes policies
  2. Node

Ensure that the --authorization-mode argument is not set to AlwaysAllow (Kubelet)

Risk Level: Critical
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.IAM.03
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesNode should have kubeletData.kubeletconfig.authorization.mode unlike '%AlwaysAllow%'

REMEDIATION

  • If using a Kubelet config file, edit the file to set authorization: mode to Webhook.

  • If using executable arguments, edit the kubelet service file
    $kubeletsvc on each worker node and
    set the below parameter in KUBELET_AUTHZ_ARGS variable.
    --authorization-mode=Webhook
    Based on your system, restart the kubelet service. For example:
    systemctl daemon-reload
    systemctl restart kubelet.service

  • If using the api configz endpoint consider searching for the status of authorization mode
    'Webhook' by extracting the live configuration from the nodes running kubelet.
    **See detailed step-by-step configmap procedures in
    https://kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/

References

  1. https://kubernetes.io/docs/admin/kubelet/
  2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication

Node

A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3

Updated 7 months ago