lacework-global-734
Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
Description
Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests, rather than allowing all requests.
Remediation
If using a Kubelet config file:
Edit the file to set authorization:mode
to Webhook
.
If using command line arguments:
Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS
:
--authorization-mode=Webhook
Reload the configuration to update it with the changes made using:
systemctl daemon-reload
Then restart the kubelet service using:
systemctl restart kubelet.service
References
https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization
https://kubernetes.io/docs/reference/access-authn-authz/webhook/