Limit binding of Anonymous User

Secure Kubernetes resources by disallowing. 'system:anonymous' users and 'system:unauthenticated' groups as subjects in KubernetesRoleBinding. These subjects lack proper authentication, risking unauthorized access and potential misuse. Enforcing this rule strengthens Kubernetes security, ensuring only authenticated and authorized entities access the cluster.

Risk Level: Critical
Cloud Entity: Kubernetes Role Binding
CloudGuard Rule ID: D9.K8S.AC.25
Covered by Spectral: No
Category: Security, Identity, & Compliance


KubernetesRoleBinding should not have subjects contain [ kind='User' and name='system:anonymous' ] or subjects contain[kind like 'Group' and name='system:unauthenticated']


Kubernetes Role Binding

A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.

Compliance Frameworks

  • Container Admission Control
  • Container Admission Control 1.0