Profile Applicability:

  • Level 1

Description:
 The --authorization-mode argument in Kubernetes determines how the API server authorizes user requests. The AlwaysAllow mode grants all requests, bypassing any access control mechanisms. This check ensures that the --authorization-mode argument is not set to AlwaysAllow, thus enforcing proper access control and ensuring that the API server authorizes requests using more secure methods, such as RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control).

Rationale:
 Setting --authorization-mode to AlwaysAllow removes the authorization layer entirely, meaning that all requests are allowed without any checks or restrictions. This creates a significant security risk, as it effectively disables access control for the Kubernetes API server. By ensuring that --authorization-mode is not set to AlwaysAllow, Kubernetes enforces proper authentication and authorization policies, preventing unauthorized access to the cluster’s resources.

Impact:

  • Pros:

    • Ensures that proper RBAC or ABAC rules are in place to control access to the Kubernetes API.

    • Prevents the security risks associated with disabling authorization checks.

    • Enforces security policies and access control mechanisms that are critical to maintaining the integrity of the Kubernetes cluster.

  • Cons:

    • Some workloads may experience issues if the appropriate authorization settings are not correctly configured.

    • Requires proper configuration of RBAC or other authorization methods to ensure legitimate users can access resources.

Default Value:
 By default, --authorization-mode is not set to AlwaysAllow, and access control mechanisms such as RBAC or ABAC are enabled. This check ensures that the AlwaysAllow mode is not being used in the configuration.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control) is properly configured in the cluster for secure authorization.


Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the API server configuration to ensure that the --authorization-mode argument is not set to AlwaysAllow.

  3. Ensure that RBAC or another secure authorization method is configured to manage access control for the Kubernetes API server.

Using Azure CLI:

1. Run the following command to check the --authorization-mode setting in the API server configuration:

kubectl describe pod kube-apiserver -n kube-system | grep --authorization-mode

2. Verify that the --authorization-mode argument is not set to AlwaysAllow and that it is set to an appropriate authorization method, such as RBAC:

kubectl describe pod kube-apiserver -n kube-system | grep authorization-mode


Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to your AKS cluster and access the API server configuration

2. Ensure that the --authorization-mode argument is not set to AlwaysAllow:

--authorization-mode=RBAC  # Ensure RBAC or another authorization mode is set

3. If --authorization-mode is set to AlwaysAllow, update it to RBAC or another secure method to control authorization.

4. Apply the updated configuration to the API server and restart it for the changes to take effect:

systemctl restart kube-apiserver


Using Azure CLI:

1. Modify the API server flags to ensure the --authorization-mode is not set to AlwaysAllow:

kube-apiserver --authorization-mode=RBAC  # Set to RBAC or another secure mode

2. Apply the change by restarting the API server:

systemctl restart kube-apiserver

3. Verify that the --authorization-mode setting is correctly configured:

kubectl describe pod kube-apiserver -n kube-system | grep --authorization-mode


Backout Plan:

Using Azure Console:

  1. If changing the --authorization-mode argument causes issues with legitimate workloads, revert the change by setting the --authorization-mode to a more permissive mode or restoring the previous configuration.

Using Azure CLI:

1. If the updated authorization-mode causes issues, revert the change by modifying the API server configuration:

kube-apiserver --authorization-mode=AlwaysAllow

2. Restart the API server to apply the changes:

systemctl restart kube-apiserver


References:

  1. Kubernetes API Server Flags

  2. Kubernetes RBAC Documentation

  3. Azure Kubernetes Service (AKS) Best Practices