1.2.6 Ensure that the --authorization-mode argument is not set to AlwaysAllow

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Do not always authorize all requests.


The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.


Only authorized requests will be served.


Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below.


Default Value:

By default, AlwaysAllow is not enabled.

See Also