TF 0128 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --authorization-mode argument includes Node
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is not configured with the 'Node' authorization mode, which means kubelet nodes may have broader access to cluster resources than necessary. This misconfiguration fails to restrict kubelets to only the resources associated with their own node.
Impact
Without 'Node' authorization, compromised or malicious kubelets could potentially read or modify resources for other nodes in the cluster, increasing the risk of privilege escalation, data exposure, or lateral movement by attackers.
Resolution
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node and set the --authorization-mode parameter to a value that includes Node.