Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.2.7 Ensure that the --authorization-mode argument includes Node #24

Open
scfast opened this issue Apr 30, 2023 · 0 comments
Open

1.2.7 Ensure that the --authorization-mode argument includes Node #24

scfast opened this issue Apr 30, 2023 · 0 comments
Labels
Level 1 Level 1 hardness

Comments

@scfast
Copy link

scfast commented Apr 30, 2023

Profile Applicability:
• Level 1 - Master Node

Description:
Restrict kubelet nodes to reading only objects associated with them.

Rationale:
The Node authorization mode only allows kubelets to read Secret, ConfigMap,
PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.

Impact:
None

Audit:
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --authorization-mode argument exists and is set to a value to include
Node.

Default Value:
By default, Node authorization is not enabled.

References:

  1. https://kubernetes.io/docs/admin/kube-apiserver/
  2. https://kubernetes.io/docs/admin/authorization/node/
  3. Node authorizer kubernetes/kubernetes#46076
  4. https://acotten.com/post/kube17-security
@scfast scfast added the Level 1 Level 1 hardness label Apr 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Level 1 Level 1 hardness
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scfast