iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:

The --authorization-mode argument in the Kubelet configuration determines how authorization is performed for incoming requests. If set to AlwaysAllow, it means all requests will be allowed without any form of authorization, effectively bypassing security checks. This setting poses a significant security risk as it allows any user or process to make requests to the Kubernetes API server.

Rationale:

Using AlwaysAllow as the authorization mode disables authorization for API requests, which can expose the Kubernetes cluster to unauthorized access and compromise the security of the cluster. Ensuring proper authorization modes such as RBAC or ABAC should be enforced.

Impact:

Pros:

• Ensures that authorization is enforced and only authorized users can interact with the Kubernetes API server.
  

Cons:

• Requires correct configuration of other authorization modes like RBAC, ABAC, or Webhook to ensure proper authorization.
  

Default Value:

Not set by default; RBAC is the recommended mode for most clusters.

Pre-requisites:

• RBAC or ABAC or any other suitable authorization mechanism should be configured for Kubernetes clusters.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Node Group or EKS configuration details.
   

4. Check the --authorization-mode argument in the node group's user data or the EKS configuration to ensure that it is not set to AlwaysAllow.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS node group's configuration:

aws eks describe-nodegroup --cluster-name <cluster-name> --nodegroup-name <nodegroup-name>

1. Review the --authorization-mode argument in the output and ensure it is not set to AlwaysAllow.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Go to the Node Group section and select the relevant node group.
   

3. Modify the configuration to ensure that the --authorization-mode argument is set to a secure mode (e.g., RBAC).
   

4. Save the configuration and redeploy the node group if necessary.
   

Using AWS CLI:

Update the --authorization-mode argument to a secure mode (e.g., RBAC):

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<version-number> --config-file <path-to-config-file>

Backout Plan:

Using AWS Console:

1. Navigate to the Node Group configuration in the AWS Console.
   

2. Revert the --authorization-mode argument to its previous value (if necessary).
   

3. Save and redeploy the node group to ensure the settings are reverted.
   

Using AWS CLI:

If issues occur, revert to the previous configuration using:

aws eks update-nodegroup-config --cluster-name <cluster-name> --nodegroup-name <nodegroup-name> --launch-template name=<launch-template-name>,version=<old-version-number>

References:

• Kubelet Authorization Documentation
  

• EKS Node Group Documentation