Profile Applicability:
Level 1
Description:
Ensure that the --anonymous-auth argument is set to false in the Kubernetes API server configuration. This argument controls whether the API server allows unauthenticated requests. Setting it to false ensures that only authenticated users and service accounts can access the Kubernetes API server, preventing unauthorized access to cluster resources.
Rationale:
Setting the --anonymous-auth argument to false disables anonymous access to the Kubernetes API server, which is critical for securing the cluster. Allowing anonymous access exposes the cluster to potential unauthorized access and attacks, as anyone can interact with the API server without proper authentication. Disabling anonymous authentication ensures that only authenticated users can interact with the API server, improving the security posture of the cluster.
Impact:
Pros:
Enhances security by ensuring that all requests to the Kubernetes API server are authenticated.
Prevents unauthorized access to sensitive resources and actions within the cluster.
Cons:
If misconfigured, it could result in legitimate users being unable to access the API server if they are not properly authenticated.
Default Value:
By default, the --anonymous-auth argument may be set to true, which allows unauthenticated access to the Kubernetes API server. This setting should be manually configured to false to secure the cluster.
Pre-Requisites:
Access to the Kubernetes API server configuration.
Sufficient privileges (root or administrator access) to modify the API server flags.
A Kubernetes environment where authentication is required for access to the API server.
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the Amazon Elastic Kubernetes Service (EKS) console.
Navigate to the "Clusters" section and locate your cluster.
Review the settings for the --anonymous-auth argument in the API server configuration.
Ensure that the --anonymous-auth argument is set to false.
Using AWS CLI:
Retrieve the configuration for the Kubernetes API server:
kubectl get deployment -n kube-system kube-apiserver -o yaml
Check for the presence of the --anonymous-auth argument in the API server arguments section:
- --anonymous-auth=false
Ensure that the --anonymous-auth argument is set to false. If it is not, update the configuration to disable anonymous authentication.
Implementation Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Open the EKS service and navigate to your cluster.
Review the cluster's configuration for the --anonymous-auth argument.
If the argument is missing or set to true, update the API server configuration to set --anonymous-auth=false.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
Modify the API server deployment by adding or updating the --anonymous-auth=false argument:
kubectl edit deployment -n kube-system kube-apiserver
In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
Add or update the following line to disable anonymous authentication:
- --anonymous-auth=false
Save and exit the editor to apply the changes.
Backout Plan:
Using AWS Console:
Sign in to the AWS Console.
Open the EKS service and navigate to your cluster.
Locate the API server configuration.
If necessary, revert the change by setting the --anonymous-auth argument to true.
Save and apply the changes to the Kubernetes API server configuration.
Using AWS CLI:
To revert the change, edit the API server deployment to set the --anonymous-auth argument back to true:
kubectl edit deployment -n kube-system kube-apiserver
- Update the deployment YAML to include --anonymous-auth=true if needed.
- Save and exit the editor to apply the changes.
References:
Kubernetes API Server Configuration