Information
Avoid non-default ClusterRoleBindings and RoleBindings with the group system:authenticated except the ClusterRoleBindings system:basic-user system:discovery and system:public-info-viewer
Google's approach to authentication is to make authenticating to Google Cloud and GKE as simple and secure as possible without adding complex configuration steps. The group system:authenticated includes all users with a Google account, which includes all Gmail accounts. Consider your authorization controls with this extended group scope when granting permissions. Thus, group system:authenticated is not recommended for non-default use.
GKE assigns the group system:authenticated to API server requests made by any user who is signed in with a Google Account, including all Gmail accounts. In practice, this isn't meaningfully different from system:unauthenticated because anyone can create a Google Account.
Binding a role to the group system:authenticated gives any user with a Google Account, including all Gmail accounts, the permissions granted by that role and is strongly discouraged.
Solution
Identify all non-default clusterrolebindings and rolebindings to the group system:authenticated Check if they are used and review the permissions associated with the binding using the commands in the Audit section above or refer to GKE documentation.
Strongly consider replacing non-default, unsafe bindings with an authenticated, user-defined group. Where possible, bind to non-default, user-defined groups with least-privilege roles.
If there are any non-default, unsafe bindings to the group system:authenticated proceed to delete them after consideration for cluster operations with only necessary, safer bindings.
kubectl delete clusterrolebinding
[CLUSTER_ROLE_BINDING_NAME] kubectl delete rolebinding
[ROLE_BINDING_NAME]
--namespace
[ROLE_BINDING_NAMESPACE]
Impact:
Authenticated users in group system:authenticated should be treated similarly to users in system:unauthenticated having privileges and permissions associated with roles associated with the configured bindings.
Care should be taken before removing any non-default clusterrolebindings or rolebindings from the environment to ensure they were not required for operation of the cluster. Leverage a more specific and authenticated user for cluster operations.