Detections
Analytics
Ensure that the --authorization-mode argument is not set to AlwaysAllow
HIGH
Description
Description:
Do not allow all requests. Enable explicit authorization.
Rationale:
Kubelets can be configured to allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.
Unauthorized requests will be denied.
Remediation
Remediation Method 1:
If configuring via the Kubelet config file, you first need to locate the file.
To do this, SSH to each node and execute the following command to find the kubelet process:
ps -ef | grep kubelet
The output of the above command provides details of the active kubelet process, from which we can see the location of the configuration file provided to the kubelet service with the '--config' argument. The file can be viewed with a command such as 'more' or 'less', like so:
sudo less /path/to/kubelet-config.json
Enable Webhook Authentication by setting the following parameter:
"authentication": { "webhook": { "enabled": true } }
Next, set the Authorization Mode to 'Webhook' by setting the following parameter:
"authorization": { "mode": "Webhook }
Finer detail of the 'authentication' and 'authorization' fields can be found in the Kubelet Configuration documentation.
Remediation Method 2:
If using executable arguments, edit the kubelet service file on each worker node and ensure the below parameters are part of the 'KUBELET_ARGS' variable string.
For systems using 'systemd', such as the Amazon EKS Optimised Amazon Linux or Bottlerocket AMIs, then this file can be found at '/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf'. Otherwise, you may need to look up documentation for your chosen operating system to determine which service manager is configured:
--authentication-token-webhook
--authorization-mode=Webhook
For Both Remediation Steps:
Based on your system, restart the 'kubelet' service and check the service status.
The following example is for operating systems using 'systemd', such as the Amazon EKS Optimised Amazon Linux or Bottlerocket AMIs, and invokes the 'systemctl' command. If 'systemctl' is not available then you will need to look up documentation for your chosen operating system to determine which service manager is configured:
systemctl daemon-reload
systemctl restart kubelet.service
systemctl status kubelet -l
Policy Details
Frameworks
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 1 - Worker Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Worker Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1