k8sdisallowanonymous

Basic Information

• Policy type: compliance
• Recommended level: L1
• Effective resource type: RoleBinding and ClusterRoleBinding
• Parameter

  allowedRoles: String array

Function

ClusterRole and Role that are not in the whitelist cannot be associated with system:anonymous User and system:unauthenticated Group.

Policy Example

The policy instance shows that ClusterRole and Role resources can be associated only with roles defined in allowedRoles.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: no-anonymous
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRoleBinding"]
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]
  parameters:
    allowedRoles: 
      - cluster-role-1

Resource Definition That Complies with the Policy

ClusterRole is associated with cluster-role-1 Role and complies with the policy instance.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-1
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

Resource Definition That Does Not Comply with the Policy

ClusterRole is associated with cluster-role-2 Role, which does not comply with the policy instance.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-binding-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-role-2
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated