Ensure that the –authorization-mode argument includes Node
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is not configured with the ‘Node’ authorization mode, which means kubelet nodes may have broader access to cluster resources than necessary. This misconfiguration fails to restrict kubelets to only the resources associated with their own node.
Impact#
Without ‘Node’ authorization, compromised or malicious kubelets could potentially read or modify resources for other nodes in the cluster, increasing the risk of privilege escalation, data exposure, or lateral movement by attackers.
Resolution#
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the –authorization-mode parameter to a value that includes Node.