Workload misconfigurations

Kubernetes node’s kubelet authorization-mode is set to AlwaysAllow

Platform(s)
  • Non-platform specific

Compliance Frameworks
  • AKS CIS
  • ,
  • CCPA
  • ,
  • CPRA
  • ,
  • EKS CIS
  • ,
  • GKE CIS
  • ,
  • iso_27001_2022
  • ,
  • iso_27002_2022
  • ,
  • K8s CIS
  • ,
  • K8s OWASP Top 10
  • ,
  • Mitre ATT&CK
  • ,
  • NIST 800-171
  • ,
  • NIST 800-190
  • ,
  • NIST 800-53
  • ,
  • PDPA
  • ,
  • STIG K8s
  • ,
  • UK Cyber Essentials

Description

The kubelet reads various parameters, including security settings, from a config file. When AuthorizationMode is set to 'AlwaysAllow', the kubelet service allows all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. Orca has detected that the AuthorizationMode is set to 'AlwaysAllow' on {K8sNode.Vm}.