Ensure that anonymous requests are authorized (RBAC)(Openshift)
When anonymous requests to the API server are allowed, they must be authorized.
Risk Level: High
Cloud Entity: Kubernetes Role Binding
CloudGuard Rule ID: D9.K8S.IAM.49
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
List<KubernetesRoleBinding> should have items contain [namespace='*' and subjects contain-any [ name='system:unauthenticated' ]]
REMEDIATION
None required. The default configuration should not be modified.
References
- https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html
- https://docs.openshift.com/container-platform/4.5/authentication/using-rbac.html
- https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-authentication-operator_red-hat-operators
- https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators
- https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
- https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
Kubernetes Role Binding
A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
Compliance Frameworks
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- CIS OpenShift Container Platform v4 Benchmark v1.4.0
- OpenShift Container Platform v3
Updated over 1 year ago