Could we include `system:authenticated` in the set of disallowed subjects in k8sdisallowanonymous template?

[julianKatz]

Currently, the k8sdisallowanonymous template disallows bindings to the following two subjects:

https://github.com/open-policy-agent/gatekeeper-library/blob/625ca8b0eed3aead24939fc95adefad029fae275/library/general/disallowanonymous/template.yaml#L42-L48

I believe system:authenticated belongs in this list as well.

Rationale from https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/:

The loophole, which we dubbed Sys:All, stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (including outside the organization). This misunderstanding then creates a significant security loophole when administrators unknowingly bind this group with overly permissive roles.

Users that are seeking to prevent access by users outside their organization are unlikely to care if those users are logged-in to gmail (and thus are system:authenticated) or logged out (system:unauthenticated).

[apeabody]

Hi @julianKatz!

100% agree that system:authenticated deserves additional scrutiny, however I'm not immediately familiar if system:authenticated is beneficial or perhaps even required by other Kubernetes flavors? Given this change would likely be considered a breaking change rather than fix, I would suggest adding as a new template parameter (e.g. includeSystemAuthenticated) with the default false being the current behavior.