Skip to main content

lacework-global-321

3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

Profile Applicability

• Level 1

Description

Do not allow all requests. Enable explicit authorization.

Rationale

Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.

Impact

Unauthorized requests will be denied.

Audit

Audit Method 1:

If using a Kubelet configuration file, check that there is an entry for "authentication": "webhook": "enabled" set to true.

First, SSH to the relevant node:

Run the following command on each node to find the appropriate Kubelet config file:

ps -ef | grep kubelet

The output of the above command should return something similar to --config /etc/kubernetes/kubelet/kubelet-config.json which is the location of the Kubelet config file.

Open the Kubelet config file:

sudo more /etc/kubernetes/kubelet/kubelet-config.json

Verify that the "authentication": {"webhook": { "enabled": is set to true.

If the "authentication": {"mode": { argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by --config, and that file sets "authentication": {"mode": { to something other than AlwaysAllow.

Audit Method 2:

If using the api configz endpoint consider searching for the status of authentication... "webhook.*{"enabled":true} by extracting the live configuration from the nodes running kubelet.

Set the local proxy port and the following variables and provide proxy port number and node name; HOSTNAME_PORT="localhost-and-port-number" NODE_NAME="The-Name-Of-Node-To-Extract-Configuration" from the output of "kubectl get nodes"

kubectl proxy --port=8001 &

export HOSTNAME_PORT=localhost:8001 (example host and port number)
export NODE_NAME=ip-192.168.31.226.ec2.internal (example node name from "kubectl get nodes")

curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"

Remediation

Remediation Method 1:

If configuring via the Kubelet config file, you first need to locate the file.

To do this, SSH to each node and execute the following command to find the kubelet process:

ps -ef | grep kubelet

The output of the preceding command provides details of the active kubelet process, where you can see the location of the configuration file provided to the kubelet service with the --config argument. You can view the file with a command such as more or less, like so:

sudo less /path/to/kubelet-config.json

Enable Webhook Authentication by setting the following parameter:

"authentication": { "webhook": { "enabled": true } }

Next, set the Authorization Mode to Webhook by setting the following parameter:

"authorization": { "mode": "Webhook }

Refer to the Kubelet Configuration documentation for finer detail of the authentication and authorization fields: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1.

Remediation Method 2:

If using executable arguments, edit the kubelet service file on each worker node and ensure the below parameters are part of the KUBELET_ARGS variable string.

For systems using systemd, such as the Amazon Elastic Kubernetes Service (EKS) Optimised Amazon Linux or Bottlerocket Amazon Machine Images (AMI), then this file lives at /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf. Otherwise, you may need to look up documentation for your chosen operating system to determine which service manager is in use:

--authentication-token-webhook
--authorization-mode=Webhook

For Both Remediation Steps:

Based on your system, restart the kubelet service and inspect the service status.

The following example is for operating systems using systemd, such as the Amazon EKS Optimised Amazon Linux or Bottlerocket AMIs, and invokes the systemctl command. If systemctl is not available then you need to look up documentation for your chosen operating system to determine which service manager is in use:

systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l

References

https://kubernetes.io/docs/admin/kubelet/
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/

Last updated on