Detections
Analytics
4.1.9 Avoid non-default bindings to system:unauthenticated
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Avoid non-default ClusterRoleBindings and RoleBindings with the group system:unauthenticated except the ClusterRoleBinding system:public-info-viewerKubernetes assigns the group system:unauthenticated to API server requests that have no authentication information provided. Binding a role to this group gives any unauthenticated user the permissions granted by that role and is strongly discouraged.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Identify all non-default clusterrolebindings and rolebindings to the group system:unauthenticated Check if they are used and review the permissions associated with the binding using the commands in the Audit section above or refer to GKEdocumentation
.
Strongly consider replacing non-default, unsafe bindings with an authenticated, user-defined group. Where possible, bind to non-default, user-defined groups with least-privilege roles.
If there are any non-default, unsafe bindings to the group system:unauthenticated proceed to delete them after consideration for cluster operations with only necessary, safer bindings.
kubectl delete clusterrolebinding
[CLUSTER_ROLE_BINDING_NAME] kubectl delete rolebinding
[ROLE_BINDING_NAME]
--
namespace
[ROLE_BINDING_NAMESPACE]
Impact:
Unauthenticated users will have privileges and permissions associated with roles associated with the configured bindings.
Care should be taken before removing any non-default clusterrolebindings or rolebindings from the environment to ensure they were not required for operation of the cluster. Leverage a more specific and authenticated user for cluster operations.
See Also
Item Details
References: CSCv7|16.8
Plugin: GCP
Control ID: dabec1997511511e03b4eb0e11d6dcbfef755ea38f4688329b2bc3c8d37bfb21