documentation_complete: true


{{%- if product == "eks" %}}
{{%- set kubeletconf_path = "/etc/kubernetes/kubelet/kubelet-config.json" %}}
{{%- else %}}
{{%- set kubeletconf_path = "/etc/kubernetes/kubelet.conf" %}}
{{%- endif %}}

platform: {{{ product }}}-node

title: 'Ensure authorization is set to Webhook'

description: |-
    Unauthenticated/unauthorized users should have no access to OpenShift nodes.
    The Kubelet should be set to only allow Webhook authorization.
    To ensure that the Kubelet requires authorization,
    validate that <tt>authorization</tt> is configured to <tt>Webhook</tt>
    in <tt>{{{ kubeletconf_path }}}</tt>:
    <pre>
    authorization:
      mode: Webhook
      ...
    </pre>

rationale: |-
    Ensuring that the authorization is configured correctly helps enforce that
    unauthenticated/unauthorized users have no access to OpenShift nodes.

identifiers:
  cce@ocp4: CCE-83593-4

severity: medium

references:
    cis@eks: 3.2.2
    cis@ocp4: 4.2.3
    nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
    nist: CM-6,CM-6(1)
    srg: SRG-APP-000516-CTR-001325

ocil_clause: '<tt>authorization-mode</tt> is not configured to <tt>Webhook</tt>'

ocil: |-
    Run the following command on the kubelet node(s):
    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done</pre>
    Verify that the output is not set to <tt>mode: AlwaysAllow</tt>, or missing
    (defaults to <tt>mode: Webhook</tt>).

template:
    name: yamlfile_value
    vars:
        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
        yamlpath: ".kubeletconfig.authorization.mode"
        check_existence: "all_exist"
        values:
         - value: "AlwaysAllow"
           operation: "not equal"