Ensure that anonymous requests are authorized (RBAC)(Openshift)

When anonymous requests to the API server are allowed, they must be authorized.

Risk Level: High
Cloud Entity: Kubernetes Role Binding
CloudGuard Rule ID: D9.K8S.IAM.49
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

List<KubernetesRoleBinding> should have items contain [namespace='*' and subjects contain-any [ name='system:unauthenticated' ]]

REMEDIATION

None required. The default configuration should not be modified.

References

  1. https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html
  2. https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html
  3. https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators
  4. https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators
  5. https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators
  6. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
  7. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests

Kubernetes Role Binding

A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.

Compliance Frameworks

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • OpenShift Container Platform v3