Ensure the --authorization-mode argument is not set to AlwaysAllow

Error: The --authorization-mode argument is set to AlwaysAllow

Bridgecrew Policy ID: BC_K8S_52
Checkov Check ID: CKV_K8S_74
Severity: MEDIUM

The --authorization-mode argument is set to AlwaysAllow

Description

Do not always authorize all requests. The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --authorization-mode=RBAC,node
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...