Profile applicability: Level 1 - Master Node
Restrict kubelet nodes to reading only objects associated with them.
The
Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes. |
NoteBy default,
Node authorization is not enabled. |
Audit
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the
--authorization-mode argument exists and is set to a value to include Node.Remediation
Edit the API server pod specification file
/etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to a value that includes Node.--authorization-mode=Node,RBAC