iCompaas Support

Profile Applicability:

• Level 1

Description:
This check ensures that the --anonymous-auth argument in the Kubernetes API server configuration is set to false. When set to false, the API server does not accept anonymous requests and requires proper authentication to interact with the Kubernetes API.

Rationale:
Allowing anonymous access to the Kubernetes API can lead to unauthorized access and potential security risks. Setting the --anonymous-auth argument to false helps to secure the API server by ensuring that all requests are authenticated, thereby protecting sensitive data and configuration.

Impact:

Pros:

• Ensures that only authenticated users can access the Kubernetes API.

• Reduces the risk of unauthorized access and potential misuse of the cluster.

Cons:

• May require additional configuration for service accounts or API clients to authenticate properly.

Default Value:
The default value for --anonymous-auth is typically set to true, meaning that anonymous requests are allowed unless explicitly disabled.

Pre-requisites:

• Access to the Kubernetes API server configuration.

• Proper configuration of authentication mechanisms (e.g., service accounts, certificates, etc.).

Test Plan:

Using AWS Console:

1. Open the Azure Portal and navigate to your AKS cluster settings.

2. Review the API server configuration to verify that the --anonymous-auth argument is set to false.

Using AWS CLI:

Retrieve the current Kubernetes API server configuration using the following command

kubectl get cm -n kube-system kube-apiserver -o yaml

Check the argument --anonymous-auth to ensure it is set to false.

Implementation Plan

Using AWS Console:

1. Go to the Azure Portal.

2. Under the AKS cluster settings, find the API server configuration.

3. Ensure that the --anonymous-auth argument is set to false.

Using AWS CLI:

Edit the Kubernetes API server configuration using the following command:

kubectl edit deployment kube-apiserver -n kube-system

In the command section, set --anonymous-auth=false and save the changes.

Backout Plan

Using AWS Console:

1. If issues arise, revert the change in the Azure Portal by setting --anonymous-auth back to true.

Using AWS CLI:

To revert, edit the Kubernetes API server configuration:

kubectl edit deployment kube-apiserver -n kube-system

Change --anonymous-auth back to true.

References:

• CIS Kubernetes Benchmark v1.7.0

• Kubernetes Official Documentation