Detections
Analytics

Ensure that the --authorization-mode argument includes Node

MEDIUM

Description

Description:

Restrict kubelet nodes to reading only objects associated with them.

Rationale:

The 'Node' authorization mode only allows kubelets to read 'Secret', 'ConfigMap', 'PersistentVolume', and 'PersistentVolumeClaim' objects associated with their nodes.

Remediation

Edit the API server pod specification file '/etc/kubernetes/manifests/kube-apiserver.yaml' on the master node and set the '--authorization-mode' parameter to a value that includes 'Node'.

--authorization-mode=Node,RBAC
.

Policy Details

Rule Reference ID: AC_K8S_0095
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks