Authorization mode AlwaysAllow allows all requests

ID

api_server_authorization_mode_always_allow

Severity

low

Vendor

Kubernetes

Resource

kube-apiserver

Tags

reachable

Description

In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access).

Kubernetes expects attributes that are common to REST API requests. This means that Kubernetes authorization works with existing organization-wide or cloud-provider-wide access control systems which may handle other APIs besides the Kubernetes API

Authorization mode AlwaysAllow flag allows all requests. Use this flag only if you do not require authorization for your API requests.

Learn more about this topic at Using Flags for Your Authorization Module.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: bad
spec:
  containers:
  - command:
    - kube-apiserver (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: bad-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 The default authorization mode is AlwaysAllow, which allows all requests. This mode should not be used on any production cluster.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: good
spec:
  containers:
  - command:
    - kube-apiserver
    - --authorization-mode=RBAC,node (1)
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.9.0
    name: good-container
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /health
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki
1 Verify that the --authorization-mode argument exists and is not set to AlwaysAllow .