4.1.9 Avoid non-default bindings to system:unauthenticated

Information

Avoid non-default ClusterRoleBindings and RoleBindings with the group system:unauthenticated except the ClusterRoleBinding system:public-info-viewer

Kubernetes assigns the group system:unauthenticated to API server requests that have no authentication information provided. Binding a role to this group gives any unauthenticated user the permissions granted by that role and is strongly discouraged.

Solution

Identify all non-default clusterrolebindings and rolebindings to the group system:unauthenticated Check if they are used and review the permissions associated with the binding using the commands in the Audit section above or refer to GKE documentation.

Strongly consider replacing non-default, unsafe bindings with an authenticated, user-defined group. Where possible, bind to non-default, user-defined groups with least-privilege roles.

If there are any non-default, unsafe bindings to the group system:unauthenticated proceed to delete them after consideration for cluster operations with only necessary, safer bindings.

kubectl delete clusterrolebinding
[CLUSTER_ROLE_BINDING_NAME] kubectl delete rolebinding
[ROLE_BINDING_NAME]
--
namespace
[ROLE_BINDING_NAMESPACE]

Impact:

Unauthenticated users will have privileges and permissions associated with roles associated with the configured bindings.

Care should be taken before removing any non-default clusterrolebindings or rolebindings from the environment to ensure they were not required for operation of the cluster. Leverage a more specific and authenticated user for cluster operations.

See Also

https://workbench.cisecurity.org/benchmarks/19166