---
title: An EKS Cluster's Kubelet should only allow explicitly authorized requests
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > An EKS Cluster's Kubelet should only
  allow explicitly authorized requests
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# An EKS Cluster's Kubelet should only allow explicitly authorized requests
 
## Description{% #description %}

EKS worker node kubelets should resolve their effective authorization mode to `Webhook` so that kubelet API requests are explicitly authorized through the Kubernetes SubjectAccessReview API. An `AlwaysAllow` mode permits requests without webhook-based authorization and is noncompliant; a `null` or missing value indicates the live configz output should be re-verified.

## Remediation{% #remediation %}

1. Define `authorization.mode: Webhook` in the worker node bootstrap configuration (launch template user data or NodeConfig) so nodes join the cluster with the correct setting. See the [EKS launch template documentation](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html).
1. For an existing node group, update the [managed node group](https://docs.aws.amazon.com/eks/latest/userguide/update-managed-node-group.html) launch template version and roll or replace the nodes so EKS recycles each node from the corrected configuration, then re-audit the live kubelet configz output to confirm the effective value is `Webhook`. Avoid editing the kubelet config file directly on the host, as host-level edits can be overridden or lost when nodes are recycled.

## References{% #references %}

- [Customize managed nodes with launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html)
- [Kubelet authentication and authorization](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)
- [Update a managed node group](https://docs.aws.amazon.com/eks/latest/userguide/update-managed-node-group.html)
- [CIS Amazon Web Services Benchmarks](https://www.cisecurity.org/benchmark/amazon_web_services)
