--anonymous-auth argument is set to false

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

1.2.1

Set up the kubernetes integration.

Description

Disable anonymous requests to the API server.

Rationale

When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. You should rely on authentication to authorize access and disallow anonymous requests. If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.

Audit

Run the following command on the master node:

ps -ef | grep kube-apiserver

Verify the --anonymous-auth argument is set to false.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the parameter --anonymous-auth=false

Impact

Anonymous requests will be rejected.

Default value

By default, anonymous access is enabled.

References

  1. https://kubernetes.io/docs/admin/kube-apiserver/
  2. https://kubernetes.io/docs/admin/authentication/#anonymous-requests

CIS controls

Version 6

14 Controlled Access Based on the Need to Know

Version 7

14 Controlled Access Based on the Need to Know