1.1.19 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Information

Do not always authorize all requests.

Rationale:

The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Solution

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--authorization-mode' parameter to values other than 'AlwaysAllow'. One such example could be as below.

--authorization-mode=RBAC

See Also

https://workbench.cisecurity.org/files/2421

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: c9bda5859a350eb38661b3989743bf1208403eb3f10da77f5bf038db4e7f0653