Profile Applicability: Level 1
Do not allow all requests. Enable explicit authorization.
Kubelets, by default, allow all authenticated requests (even anonymous ones) without
needing explicit authorization checks from the apiserver. You should restrict this
behavior and only allow explicitly authorized requests.
![]() |
NoteSee the Azure AKS documentation for the default value.
|
Impact
Unauthorized requests will be denied.
Audit
Audit Method 1:
If using a Kubelet configuration file, check that there is an entry for
"authentication": { "webhook": { "enabled": true }
.-
SSH to the relevant node and execute the following command to find the Kubelet config file:
ps -ef | grep kubelet
The output should return something similar to--config /etc/kubernetes/kubelet/kubelet-config.json
which is the location of the Kubelet config file. -
Open the Kubelet config file:
sudo more /etc/kubernetes/kubelet/kubelet-config.json
-
Verify that
"authentication": {"webhook": {"enabled": true}}
is present and that"authentication": {"mode": {
is not set toAlwaysAllow
.If"authentication": {"mode": {
argument is present, check that it is not set toAlwaysAllow
. If it is not present, check that there is a Kubelet config file specified by--config
, and that file sets"authentication": {"mode": {
to something other thanAlwaysAllow
.
Audit Method 2:
If using the API configz endpoint, consider searching for the status of
"authentication"... "webhook":{"enabled":true}
by extracting the live configuration from the nodes running Kubelet.-
Set the local proxy port and the following variables, and provide the proxy port number and node name:
HOSTNAME_PORT="localhost-and-port-number"
NODE_NAME="The-Name-Of-Node-To-Extract-Configuration" (from the output of "kubectl get nodes")
kubectl proxy --port=8001 & export HOSTNAME_PORT=localhost:8001 (example host and port number) export NODE_NAME=ip-192.168.31.226.aks.internal (example node name from "kubectl get nodes") curl -sSL "http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"
Remediation
Remediation Method 1:
If modifying the Kubelet config file, edit the kubelet-config.json file
/etc/kubernetes/kubelet/kubelet-config.json
and ensure the parameter is set correctly:"authentication"... "webhook":{"enabled":true
Remediation Method 2:
If using executable arguments, edit the Kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubelet-args.conf
on each worker node and add the following to the KUBELET_ARGS
variable string:--authorization-mode=Webhook
Remediation Method 3:
If using the API configz endpoint, verify that
"authentication.*webhook":{"enabled":true}
is present by extracting the live configuration from the nodes running Kubelet.See step-by-step configmap procedures in Reconfigure a Node's Kubelet in a Live Cluster, and rerun the curl statement from the audit process to check the configuration changes:
"kubectl proxy --port=8001 &" "export HOSTNAME_PORT=localhost:8001 (example host and port number) export NODE_NAME=ip-192.168.31.226.aks.internal (example node name from ""kubectl get nodes"")" "curl -sSL ""http://${HOSTNAME_PORT}/api/v1/nodes/${NODE_NAME}/proxy/configz"""
For all three remediations:
Restart the
kubelet
service and check the status:systemctl daemon-reload systemctl restart kubelet.service systemctl status kubelet -l