Profile Applicability:

  • Level 1

Description:
 The --authorization-mode flag in Kubernetes controls the authorization strategy used to determine whether a user or service has permission to perform a specific action. The AlwaysAllow mode allows all requests without any authorization checks, which is a significant security risk. This check ensures that AlwaysAllow is not enabled, thereby enforcing proper authorization checks.

Rationale:
 Enabling the AlwaysAllow authorization mode effectively disables authorization checks, allowing any user to perform actions on the cluster. This creates a major security vulnerability and should be avoided. Ensuring that proper authorization mechanisms like RBAC (Role-Based Access Control) are in place improves cluster security.

Impact:

  • Pros:

    • Ensures proper authorization checks are enforced for all API requests.

    • Helps maintain secure access control within the Kubernetes cluster.

  • Cons:

    • May require changes to existing configuration if AlwaysAllow is enabled.

Default Value:
 The default authorization mode may vary, but AlwaysAllow should be disabled in a secure Kubernetes environment.

Pre-requisites:
 Ensure that proper authorization mechanisms (e.g., RBAC) are configured and functioning in the Kubernetes cluster.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Kubernetes cluster configuration settings.

  2. Review the kube-apiserver configuration to check if the --authorization-mode flag is set to AlwaysAllow.

Using Azure CLI:

  1. Use the following command to check the current authorization mode:

     ps aux | grep kube-apiserver

  2. Ensure that the --authorization-mode does not include AlwaysAllow.

Implementation Plan:

Using Azure Console:

  1. Access the kube-apiserver configuration.

  2. Modify the --authorization-mode argument to remove AlwaysAllow and ensure secure authorization modes like RBAC are enabled.

Using Azure CLI:

  1. Update the --authorization-mode flag by modifying the kube-apiserver configuration:

     kubectl -n kube-system edit deployment kube-apiserver

  2. Remove AlwaysAllow and ensure appropriate authorization modes like RBAC are enabled.

Backout Plan:

Using Azure Console:

  1. If the change causes issues, revert the --authorization-mode setting to include AlwaysAllow temporarily.

Using Azure CLI:

  1. Revert the setting to allow AlwaysAllow by running the following command:

     kubectl -n kube-system edit deployment kube-apiserver

  2. Add AlwaysAllow back to the --authorization-mode flag if necessary.

References:

  1. Kubernetes Authorization Modes Documentation

  2. Kubernetes Security Best Practices