1.2.8 Verify that the Node authorizer is enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Restrict kubelet nodes to reading only objects associated with them.

Rationale:

The Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.

Impact:

None

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

No remediation is required.

Default Value:

By default, in OpenShift 4.5 and earlier, the Node authorizer is compiled into the API server and is not visible. In OpenShift 4.6, authorization-mode includes Node by default.

See Also

https://workbench.cisecurity.org/files/4260