Closed julianKatz closed 1 month ago
Hi @julianKatz!
100% agree that system:authenticated
deserves additional scrutiny, however I'm not immediately familiar if system:authenticated
is beneficial or perhaps even required by other Kubernetes flavors? Given this change would likely be considered a breaking change rather than fix, I would suggest adding as a new template parameter (e.g. includeSystemAuthenticated
) with the default false
being the current behavior.
Currently, the
k8sdisallowanonymous
template disallows bindings to the following two subjects:https://github.com/open-policy-agent/gatekeeper-library/blob/625ca8b0eed3aead24939fc95adefad029fae275/library/general/disallowanonymous/template.yaml#L42-L48
I believe
system:authenticated
belongs in this list as well.Rationale from https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/:
The loophole, which we dubbed Sys:All, stems from a likely widespread misconception that the system:authenticated group in Google Kubernetes Engine includes only verified and deterministic identities, whereas in fact, it includes any Google authenticated account (including outside the organization). This misunderstanding then creates a significant security loophole when administrators unknowingly bind this group with overly permissive roles.
Users that are seeking to prevent access by users outside their organization are unlikely to care if those users are logged-in to gmail (and thus are system:authenticated) or logged out (system:unauthenticated).