Information
When anonymous requests to the API server are allowed, they must be authorized.
Rationale:
When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. You should rely on authentication to authorize anonymous requests.
If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.
Impact:
Anonymous requests are assigned to the system:unauthenticated group which allows the system to determine which actions are allowed.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
None. The default configuration should not be modified.
Default Value:
By default, anonymous access is enabled and assigned to the system:unauthenticated group, which allows the system to determine which actions are allowed.
If the default behavior is changed, platform components will not work properly, in particular Elasticsearch and Prometheus. The oauth-proxy deployed as part of these components makes anonymous use of /.well-known/oauth-authorization-server endpoint, granted by system:discovery role.