1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Do not always authorize all requests.

The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to values other than AlwaysAllow One such example could be as below.

--authorization-mode=RBAC

Impact:

Only authorized requests will be served.

See Also

https://workbench.cisecurity.org/benchmarks/17568