Ensure the --anonymous-auth argument is set to False

Error: The --anonymous-auth argument is not set to False

Bridgecrew Policy ID: BC_K8S_46
Checkov Check ID: CKV_K8S_68
Severity: LOW

The --anonymous-auth argument is not set to False

Description

Disable anonymous requests to the API server. When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. You should rely on authentication to authorize access and disallow anonymous requests.
If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
+   - kube-apiserver
+   - --anonymous-auth=false
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    ...