1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
|
title: The authorization-mode cannot be AlwaysAllow
{{% set default_jqfilter = '[.data."config.yaml" | fromjson]' %}}
{{% set default_api_path = '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' %}}
{{% set hypershift_path = '/api/v1/namespaces/{{.hypershift_namespace_prefix}}-{{.hypershift_cluster}}/configmaps/kas-config' %}}
{{% set hypershift_jqfilter = '[.data."config.json" | fromjson]' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
description: 'Do not always authorize all requests.'
rationale: |-
The API Server, can be configured to allow all requests. This mode should not be used on any production cluster.
identifiers:
cce@ocp4: CCE-84207-0
severity: medium
references:
cis@ocp4: 1.2.7
nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
nist: CM-6,CM-6(1)
pcidss: Req-2.2
srg: SRG-APP-000516-CTR-001325
platform: not ocp4-on-hypershift-hosted
ocil_clause: 'The Node authorization-mode is configured and enabled'
ocil: |-
To verify that the <tt>Node</tt> authorization mode is be configured and enabled in
the apiserver configuration, run:
<pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | grep '"authorization-mode":\[[^]]*"AlwaysAllow"'</pre>
The output should be empty - the "authorization-mode" list does NOT contain the "AlwaysAllow" authorizer.
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: "true"
check_existence: "none_exist"
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '.apiServerArguments["authorization-mode"][:]'
values:
- value: 'AlwaysAllow'
operation: "pattern match"
type: "string"
|