1.2.7 Ensure that the --authorization-mode argument includes Node

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Restrict kubelet nodes to reading only objects associated with them.

The Node authorization mode only allows kubelets to read Secret ConfigMap PersistentVolume and PersistentVolumeClaim objects associated with their nodes.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to a value that includes Node

--authorization-mode=Node,RBAC

Impact:

None

See Also

https://workbench.cisecurity.org/benchmarks/17568