Profile applicability: Level 1 - Master Node
Do not always authorize all requests.
The API Server, can be configured to allow all requests. This mode should not be used
on any production cluster.
 |
NoteBy default,
AlwaysAllow is not enabled. |
Impact
Only authorized requests will be served.
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--authorization-mode argument exists and is not set to AlwaysAllow.Remediation
Edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to values other than AlwaysAllow. Example below:--authorization-mode=RBAC