Anonymous Auth Is Not Set To False

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-access-002
  labels:
    severity: "critical" 
    category: "access"
  annotations:
    rules.spotter.dev/title: "Anonymous Auth Is Not Set To False"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-306"
    rules.spotter.dev/description: "Anonymous authentication allows unauthenticated users to make requests to the API server. This should be disabled."
spec:
  match:
    resources:
      kubernetes:
        apiGroups: [""]
        versions: ["v1"]
        kinds: ["Pod"]
  cel: |
    (object.kind == "Pod" && has(object.spec.containers) && object.spec.containers.exists(c,
      has(c.command) && (c.command.exists(cmd, cmd == "kube-apiserver") || c.command.exists(cmd, cmd == "kubelet")) &&
      (
        (has(c.args) && c.args.exists(arg, arg == "--anonymous-auth=true")) ||
        (has(c.command) && c.command.exists(cmd, cmd == "--anonymous-auth=true")) ||
        (has(c.command) && c.command.exists(cmd, cmd.contains("--anonymous-auth=true")))
      )
    ))
  remediation:
    manual: "Edit the kube-apiserver pod specification file and set the --anonymous-auth flag to false."
  references:
    - title: "Controlling Access to the Kubernetes API"
      url: "https://kubernetes.io/docs/concepts/security/controlling-access/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
        command:
        - kube-apiserver
        args:
        - --anonymous-auth=true
      restartPolicy: OnFailure

- name: insecure sample 2 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: foo/bar
        command:
        - kubelet
        - --anonymous-auth=true
      restartPolicy: OnFailure

- name: insecure sample 3 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: foo/bar
        command:
        - kubelet
        args:
        - --anonymous-auth=true
      restartPolicy: OnFailure

- name: insecure sample 4 should fail
  pass: false
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
        command:
        - kube-apiserver
        - --anonymous-auth=true
      restartPolicy: OnFailure

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
        command:
        - kube-apiserver
        - --anonymous-auth=false
      restartPolicy: OnFailure

- name: secure sample 2 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: foo/bar
        command:
        - kubelet
        - --anonymous-auth=false
      restartPolicy: OnFailure

- name: secure sample 3 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
        command:
        - kube-apiserver
        args:
        - --anonymous-auth=false
      restartPolicy: OnFailure

- name: secure sample 4 should pass
  pass: true
  input: |
    apiVersion: v1
    kind: Pod
    metadata:
      name: command-demo
      labels:
        purpose: demonstrate-command
      namespace: kube-system
    spec:
      containers:
      - name: command-demo-container
        image: foo/bar
        command:
        - kubelet
        args:
        - --anonymous-auth=false
      restartPolicy: OnFailure

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-access-002
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-access-002
spec:
  # Add your VAP configuration here

Rule Metadata

Anonymous Auth Is Not Set To False

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub