1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Do not always authorize all requests.

Rationale:

The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.

Solution

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below.

--authorization-mode=RBAC

Impact:

Only authorized requests will be served.

Default Value:

By default, AlwaysAllow is not enabled.

References:

https://kubernetes.io/docs/admin/kube-apiserver/

https://kubernetes.io/docs/admin/authorization/

See Also

https://workbench.cisecurity.org/files/2662

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: eea03336872359911fdeb70f50099a2fb8e98a85e04e1ee1c61b87b9e25fbb62