Ensure the --authorization-mode argument includes node

Error: The --authorization-mode argument does not include node

Bridgecrew Policy ID: BC_K8S_53
Checkov Check ID: CKV_K8S_75
Severity: MEDIUM

The --authorization-mode argument does not include node

Description

Restrict kubelet nodes to reading only objects associated with them. The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+    - kube-apiserver
+    - --authorization-mode=RBAC,Node
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...