Skip to content

Ensure authorization is set to Webhook

An XCCDF Rule

Description

Unauthenticated/unauthorized users should have no access to OpenShift nodes. The Kubelet should be set to only allow Webhook authorization. To ensure that the Kubelet requires authorization, validate that authorization is configured to Webhook in /etc/kubernetes/kubelet.conf:

authorization:
  mode: Webhook
  ...

Rationale

Ensuring that the authorization is configured correctly helps enforce that unauthenticated/unauthorized users have no access to OpenShift nodes.

ID
xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_master
Severity
Medium
References
Updated