Skip to content

The --authorization-mode argument is set to AlwaysAllow

Description

Do not allow all requests. Enable explicit authorization. Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. You should restrict this behavior and only allow explicitly authorized requests.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kubelet
    tier: control-plane
  name: kubelet
  namespace: kube-system
spec:
  containers:
  - command:
+   - kubelet
+   - --authorization-mode=RBAC,node
    image: gcr.io/google_containers/kubelet-amd64:v1.6.0
    ...