Workload misconfigurations

Kubernetes node’s kubelet authorization-mode is set to AlwaysAllow

Risk Level

Informational (4)

  • N/A

Compliance Frameworks


The kubelet reads various parameters, including security settings, from a config file. When AuthorizationMode is set to 'AlwaysAllow', the kubelet service allows all authenticated requests (even anonymous ones) without needing explicit authorization checks from the apiserver. Orca has detected that the AuthorizationMode is set to 'AlwaysAllow' on {K8sNode.Vm}.
  • Recommended Mitigation

    Set {K8sNode}'s Kubelet's authorization-mode to 'Webhook'.