Ensure authorization is set to Webhook

Description

Unauthenticated/unauthorized users should have no access to OpenShift nodes. The Kubelet should be set to only allow Webhook authorization. To ensure that the Kubelet requires authorization, validate that authorization is configured to Webhook in /etc/kubernetes/kubelet.conf:

authorization:
  mode: Webhook
  ...

Rationale

Ensuring that the authorization is configured correctly helps enforce that unauthenticated/unauthorized users have no access to OpenShift nodes.

ID: xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_worker
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

4.2.2
Updated: about 1 year ago