4.1.8 Avoid bindings to system:anonymous

Information

Avoid ClusterRoleBindings nor RoleBindings with the user system:anonymous

Kubernetes assigns user system:anonymous to API server requests that have no authentication information provided. Binding a role to user system:anonymous gives any unauthenticated user the permissions granted by that role and is strongly discouraged.

Solution

Identify all clusterrolebindings and rolebindings to the user system:anonymous. Check if they are used and review the permissions associated with the binding using the commands in the Audit section above or refer to GKE documentation.

Strongly consider replacing unsafe bindings with an authenticated, user-defined group. Where possible, bind to non-default, user-defined groups with least-privilege roles.

If there are any unsafe bindings to the user system:anonymous proceed to delete them after consideration for cluster operations with only necessary, safer bindings.

kubectl delete clusterrolebinding
[CLUSTER_ROLE_BINDING_NAME] kubectl delete rolebinding
[ROLE_BINDING_NAME]
--namespace
[ROLE_BINDING_NAMESPACE]

Impact:

Unauthenticated users will have privileges and permissions associated with roles associated with the configured bindings.

Care should be taken before removing any clusterrolebindings or rolebindings from the environment to ensure they were not required for operation of the cluster. Use a more specific and authenticated user for cluster operations.

See Also

https://workbench.cisecurity.org/benchmarks/19166