lacework-global-734

Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

Description

Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests, rather than allowing all requests.

Remediation

If using a Kubelet config file:

Edit the file to set authorization:mode to Webhook.

If using command line arguments:

Edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_AUTHZ_ARGS:

--authorization-mode=Webhook

Reload the configuration to update it with the changes made using:

systemctl daemon-reload

Then restart the kubelet service using:

systemctl restart kubelet.service

References

https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/#kubelet-authorization
https://kubernetes.io/docs/reference/access-authn-authz/webhook/

Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)​

Description​

Remediation​

References​

Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

Description

Remediation

References