Ensure the --authorization-mode argument is not set to AlwaysAllow

Error: The --authorization-mode argument is set to AlwaysAllow

Bridgecrew Policy ID: BC_K8S_96
Checkov Check ID: CKV_K8S_139
Severity: LOW

The --authorization-mode argument is set to AlwaysAllow

Description

Do not allow all requests. Enable explicit authorization. Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kubelet
    tier: control-plane
  name: kubelet
  namespace: kube-system
spec:
  containers:
  - command:
+   - kubelet
+   - --authorization-mode=RBAC,node
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    ...