Lateral movement

K8S API server without node authorization

Risk Level

Hazardous (3)

Platform(s)
  • N/A

Compliance Frameworks

Description

It was found that node authorization is not set in the k8s api server configuration file. Node authorization restricts the kubelet ability to read secrets and volumes in its node only. Without it, the environment might be vulnerable to lateral movement from one node to another.
  • Recommended Mitigation

    It is recommended to include 'Node' authorization in the authorization mode parameter in the configuration file.