Limit binding of Anonymous User
Secure Kubernetes resources by disallowing. 'system:anonymous' users and 'system:unauthenticated' groups as subjects in KubernetesRoleBinding. These subjects lack proper authentication, risking unauthorized access and potential misuse. Enforcing this rule strengthens Kubernetes security, ensuring only authenticated and authorized entities access the cluster.
Risk Level: Critical
Cloud Entity: Kubernetes Role Binding
CloudGuard Rule ID: D9.K8S.AC.25
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
KubernetesRoleBinding should not have subjects contain [ kind='User' and name='system:anonymous' ] or subjects contain[kind like 'Group' and name='system:unauthenticated']
REMEDIATION
Kubernetes Role Binding
A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
Compliance Frameworks
- Container Admission Control
- Container Admission Control 1.0
Updated over 1 year ago