4.2.2 Ensure that the --anonymous-auth argument is set to false

Information

Disable anonymous requests to the Kubelet server.

Rationale:

When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.

Impact:

Anonymous requests will be rejected.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create a kubeletconfig to explicitly disable anonymous authentication. Examples of how to do this can be found in the OpenShift documentation.

Default Value:

By default, anonymous access is set to false.

See Also

https://workbench.cisecurity.org/benchmarks/16094

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: OpenShift

Control ID: 160e1bb36aaad80ceb905693dccfbe24d5df59983fb0aca3b9ef9082afd8d834