1.2.1 Ensure that anonymous requests are authorized - ClusterRoleBindings

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

When anonymous requests to the API server are allowed, they must be authorized.

Rationale:

When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. You should rely on authentication to authorize anonymous requests.

If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.

Impact:

Anonymous requests are assigned to the system:unauthenticated group which allows the system to determine which actions are allowed.

Solution

None required. The default configuration should not be modified.

Default Value:

By default, anonymous access is enabled and assigned to the system:unauthenticated group, which allows the system to determine which actions are allowed.

If the default behavior is changed, platform components will not work properly, in particular Elasticsearch and Prometheus. The oauth-proxy deployed as part of these components makes anonymous use of /.well-known/oauth-authorization-server endpoint, granted by system:discovery role.

See Also

https://workbench.cisecurity.org/files/4260