CIS-1.2.7 - Ensure that the API Server --authorization-mode argument includes Node

Ensure that the API Server --authorization-mode argument includes Node

Framework

CIS

Severity

Medium

Description of the the issue

The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.

Related resources

Pod

What does this control test

Restrict kubelet nodes to reading only objects associated with them.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Verify that the --authorization-mode argument exists and is set to a value to include Node.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to a value that includes Node.

--authorization-mode=Node,RBAC

Impact Statement

None

Default Value

By default, Node authorization is not enabled.

Example

No example