C-0119 - Ensure that the API Server --authorization-mode argument includes Node
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.
Related resources
Pod
What does this control test
Restrict kubelet nodes to reading only objects associated with them.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --authorization-mode argument exists and is set to a value to include Node.
Remediation
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to a value that includes Node.
--authorization-mode=Node,RBAC
Impact Statement
None
Default Value
By default, Node authorization is not enabled.
Example
No example
Updated 28 days ago