Kubelet should only allow explicitly authorized requests

kubernetes

Set up the kubernetes integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Explicit authorization should be enabled. Kubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server.

Remediation

  1. If using a Kubelet config file, edit the file to set authorization: Webhook.
  2. If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and set the below parameter in the KUBELET_AUTHZ_ARGS variable.
--authorization-mode=Webhook
  1. Restart the kubelet service.