Ensure authorization is set to Webhook
An XCCDF Rule
Description
Unauthenticated/unauthorized users should have no access to OpenShift nodes.
The Kubelet should be set to only allow Webhook authorization.
To ensure that the Kubelet requires authorization,
validate that authorization
is configured to Webhook
in /etc/kubernetes/kubelet.conf
:
authorization: mode: Webhook ...
Rationale
Ensuring that the authorization is configured correctly helps enforce that unauthenticated/unauthorized users have no access to OpenShift nodes.
- ID
- xccdf_org.ssgproject.content_rule_kubelet_authorization_mode
- Severity
- Medium
- References
- Updated