Ensure the --authorization-mode argument is not set to AlwaysAllow
Error: The --authorization-mode argument is set to AlwaysAllow
Bridgecrew Policy ID: BC_K8S_96
Checkov Check ID: CKV_K8S_139
Severity: LOW
The --authorization-mode argument is set to AlwaysAllow
Description
Do not allow all requests. Enable explicit authorization. Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.
Fix - Buildtime
Kubernetes
- Kind: Pod
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kubelet
tier: control-plane
name: kubelet
namespace: kube-system
spec:
containers:
- command:
+ - kubelet
+ - --authorization-mode=RBAC,node
image: gcr.io/google_containers/kubelet-amd64:v1.6.0
...
Updated 10 months ago