3.2.2 - Ensure that the authorization-mode argument is not set to AlwaysAllow (automated)

Views:

Profile applicability: Level 1 - Worker Node

Ensure that the --authorization-mode argument in Kubelets is not set to AlwaysAllow to enhance security by enabling explicit authorization. Kubelets configured to allow all authenticated requests, including anonymous ones, without explicit authorization checks from the apiserver can pose a security risk. It is crucial to restrict this behavior so that only explicitly authorized requests are allowed. By setting the --authorization-mode to a more restrictive setting, you ensure that unauthorized requests are systematically denied, thereby bolstering the security of your Kubernetes environment.

Impact

Unauthorized requests will be denied.

Audit

Audit method 1:

Note

Kubelets can be configured via a configuration file or command line arguments. Command line arguments take precedence. Check both command line arguments and configuration file entries when auditing Kubelet configurations.

SSH into each node and run the following command to view details of the active Kubelet process:
```
ps -ef | grep kubelet
```
Identify the location of the configuration file from the --config argument in the output. View the file using:
```
sudo less /path/to/kubelet-config.json
```

Verify that Webhook Authentication is enabled:

Command line argument to the Kubelet service:
```
--authentication-token-webhook
```

In the Kubelet configuration file:

        {
        "authentication": {
        "webhook": {
        "enabled": true
        }
        }
        }

Verify that the Authorization Mode is set to WebHook:

Command line argument to the Kubelet service:
```
--authorization-mode=Webhook
```

In the Kubelet configuration file:

        {
        "authorization": {
        "mode": "Webhook"
        }
        }

Audit method 2:

Review the running configuration of a Kubelet via the "/configz" endpoint of the Kubernetes API using kubectl:

Discover all nodes in your cluster:
```
kubectl get nodes
```
Initiate a proxy with kubectl on a local port (e.g., 8080):
```
kubectl proxy --port=8080
```

In a separate terminal, run the following command for each node:

export NODE_NAME=my-node-name
      curl http://localhost:8080/api/v1/nodes/${NODE_NAME}/proxy/configz

Verify that Webhook Authentication is enabled by checking the API response:

      {
      "authentication": {
      "webhook": {
      "enabled": true
      }
      }
      }

Verify that the Authorization Mode is set to WebHook by checking the API response:

      {
      "authorization": {
      "mode": "Webhook"
      }
      }

Remediation

Method 1:

SSH into each node.
Locate the Kubelet configuration file:
```
ps -ef | grep kubelet
```
View the configuration file using:
```
sudo less /path/to/kubelet-config.json
```

Enable Webhook Authentication by setting the following parameter:

      {
      "authentication": {
      "webhook": {
      "enabled": true
      }
      },
      "authorization": {
      "mode": "Webhook"
      }
      }

Restart the kubelet service and check its status (example for systems using systemd):

systemctl daemon-reload
      systemctl restart kubelet.service
      systemctl status kubelet -l

Method 2:

If using command line arguments, edit the kubelet service file to include the following parameters:
```
--authentication-token-webhook
      --authorization-mode=Webhook
```
For systems using systemd, edit the file located at /etc/systemd/system/kubelet.service.d/10-kubelet-args.conf.

Restart the kubelet service and check its status (example for systems using systemd):

      systemctl daemon-reload
      systemctl restart kubelet.service
      systemctl status kubelet -l