iCompaas Support

Profile Applicability:

• Level 1

Description:

The --authorization-mode argument controls how authorization is handled by the Kubelet. By including Node in the authorization modes, it ensures that the Kubelet only accepts requests from nodes that are authorized to interact with the Kubernetes API server. This mode specifically allows node-based authorization, where nodes are able to access the Kubernetes API only if they have valid certificates and credentials, thus enhancing the security posture.

Rationale:

The Node authorization mode is essential to allow proper access control, ensuring that only nodes in the Kubernetes cluster with valid credentials can communicate with the Kubernetes API server. This is important for minimizing the risk of unauthorized node access, ensuring that interactions with the cluster are done by trusted nodes.

Impact:

Pros:

• Ensures secure interactions between nodes and the API server, reducing the risk of unauthorized access.
  

• Helps implement a least-privilege security model where only trusted nodes can perform operations in the cluster.
  

Cons:

• Requires proper configuration of node certificates and credentials.
  

• Any misconfiguration can prevent legitimate nodes from interacting with the Kubernetes API.
  

Default Value:

Not set by default; other authorization modes like RBAC may be more commonly used.

Pre-requisites:

• Proper node certificate and credential configuration in the Kubernetes cluster.
  

• The Node mode must be explicitly enabled in the Kubelet configuration.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Node Group or EKS configuration details.
   

4. Check the --authorization-mode argument in the node group's user data or the EKS configuration to ensure that it includes Node.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS node group's configuration:

aws eks describe-nodegroup --cluster-name <cluster-name> --nodegroup-name <nodegroup-name>

1. Review the --authorization-mode argument in the output and ensure that Node is included.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Go to the Node Group section and select the relevant node group.
   

3. Modify the configuration to include Node in the --authorization-mode argument.
   

4. Save the configuration and redeploy the node group if necessary.
   

Using AWS CLI:

Update the --authorization-mode argument to include Node:

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<version-number> --config-file <path-to-config-file>

Backout Plan

Using AWS Console:

1. Navigate to the Node Group configuration in the AWS Console.
   

2. Revert the --authorization-mode argument to its previous value (if necessary).
   

3. Save and redeploy the node group to ensure the settings are reverted.
   

Using AWS CLI:

If issues occur, revert to the previous configuration using:

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<old-version-number>

References:

• Kubelet Authorization Documentation
  

• EKS Node Group Documentation