C-0118 - Ensure that the API Server --authorization-mode argument is not set to AlwaysAllow
Framework
cis-v1.23-t1.0.1
Severity
High
Description of the the issue
The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.
Related resources
Pod
What does this control test
Do not always authorize all requests.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --authorization-mode
argument exists and is not set to AlwaysAllow
.
Remediation
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the Control Plane node and set the --authorization-mode
parameter to values other than AlwaysAllow
. One such example could be as below.
--authorization-mode=RBAC
Impact Statement
Only authorized requests will be served.
Default Value
By default, AlwaysAllow
is not enabled.
Example
No example
Updated 3 months ago