It gets automatically re-added after a couple minutes:
# here its gone after I ran the above command
% ./rbac-lookup | grep -E 'system:(anonymous)|(unauthenticated)'
# then after a couple minutes, and run the same command again, its back:
% ./rbac-lookup | grep -E 'system:(anonymous)|(unauthenticated)'
system:unauthenticated cluster-wide ClusterRole/system:public-info-viewer
Furthermore, according to the EKS best practice guide, it seems this particular role bound to the system:unauthenticated is OK:
Any role or ClusterRole other than system:public-info-viewer should not be bound to system:anonymous user or system:unauthenticated group.
Source:
Ergo, the check may need to exclude alerting for system:public-info-viewer bound to system:unauthenticated
It seems there is a possible false positive with the following: iam-->Cluster Wide-->Don't bind clusterroles to anonymous/unauthenticated groups.
It flagging "system:public-info-viewer - ClusterRoleBinding" EKS automatically creates this CRB.
If I remove this with the following command:
It gets automatically re-added after a couple minutes:
Furthermore, according to the EKS best practice guide, it seems this particular role bound to the system:unauthenticated is OK:
Source:
Ergo, the check may need to exclude alerting for system:public-info-viewer bound to system:unauthenticated