C-0173 - Ensure that the --authorization-mode argument is not set to AlwaysAllow
Run Kubescape with host sensor (see here)
cis-v1.23-t1.0.1, cis-eks-t1.2.0, cis-aks-t1.2.0
Description of the the issue
Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.
What does this control test
Do not allow all requests. Enable explicit authorization.
How to check it manually
Run the following command on each node:
ps -ef | grep kubelet
--authorization-mode argument is present check that it is not set to
AlwaysAllow. If it is not present check that there is a Kubelet config file specified by
--config, and that file sets
authorization: mode to something other than
It is also possible to review the running configuration of a Kubelet via the
/configz endpoint on the Kubelet API port (typically
10250/TCP). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.
If using a Kubelet config file, edit the file to set
authorization: mode to
If using executable arguments, edit the kubelet service file
/etc/kubernetes/kubelet.conf on each worker node and set the below parameter in
Based on your system, restart the
kubelet service. For example:
systemctl daemon-reload systemctl restart kubelet.service
Unauthorized requests will be denied.
--authorization-mode argument is set to
Updated 8 days ago