C-0113 - Ensure that the API Server --anonymous-auth argument is set to false
Framework
cis-v1.23-t1.0.1
Severity
High
Description of the the issue
When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the API server. You should rely on authentication to authorize access and disallow anonymous requests.
If you are using RBAC authorization, it is generally considered reasonable to allow anonymous access to the API Server for health checks and discovery purposes, and hence this recommendation is not scored. However, you should consider whether anonymous discovery is an acceptable risk for your purposes.
Related resources
Pod
What does this control test
Disable anonymous requests to the API server.
How to check it manually
Run the following command on the Control Plane node:
ps -ef | grep kube-apiserver
Verify that the --anonymous-auth
argument is set to false
.
Remediation
Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the Control Plane node and set the below parameter.
--anonymous-auth=false
Impact Statement
Anonymous requests will be rejected.
Default Value
By default, anonymous access is enabled.
Example
No example
Updated 3 months ago