Ensure that anonymous requests to the API Server are authorized

An XCCDF Rule

Description

By default, anonymous access to the OpenShift API is enabled, but at the same time, all requests must be authorized. If no authentication mechanism is used, the request is assigned the system:anonymous virtual user and the system:unauthenticated virtual group. This allows the authorization layer to determine which requests, if any, is an anonymous user authorized to make. To verify the authorization rules for anonymous requests run the following:

$ oc describe clusterrolebindings

and inspect the bindings of the system:anonymous virtual user and the system:unauthenticated virtual group. To test that an anonymous request is authorized to access the readyz endpoint, run:

$ oc get --as="system:anonymous" --raw='/readyz?verbose'

In contrast, a request to list all projects should not be authorized:

$ oc get --as="system:anonymous" projects

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/rbac.authorization.k8s.io/v1/clusterrolebindings API endpoint to the local /apis/rbac.authorization.k8s.io/v1/clusterrolebindings file.

Rationale

When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.

ID: xccdf_org.ssgproject.content_rule_api_server_anonymous_auth
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

SRG-APP-000516-CTR-001325

1.2.1
Updated: about 1 year ago