After running an EKS hardening program, I encountered a vulnerability related to the cattle-unauthenticated ClusterRole and its associated ClusterRoleBinding. The program advised against binding clusterroles to anonymous or unauthenticated groups.
The cattle-unauthenticated ClusterRole appears to be essential for Rancher’s access to Kubernetes. Could you please explain why this specific ClusterRole is used and its necessity for Rancher’s operations?
ClusterRole (cattle-unauthenticated):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cattle-unauthenticated
resourceVersion: '187854'
uid: 58b45e53-6ffc-417c-8e19-27fdc771390a
rules:
- apiGroups:
- management.cattle.io
resourceNames:
- first-login
- ui-pl
- ui-banners
- ui-brand
- ui-favicon
resources:
- settings
verbs:
- get
ClusterRoleBinding (cattle-unauthenticated):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cattle-unauthenticated
resourceVersion: '223658'
uid: d17330f0-c2e1-42e6-a889-b666a822fd60
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cattle-unauthenticated
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated