Cluster anonymous access

With anonymous auth enabled, every unauthenticated user interacting with a K8s cluster API is assigned system:anonymous user in system:unauthenticated group. This user has only minimal permissions to operate on cluster resources; for example, list cluster version by accessing /version endpoint.

Therefore, on its own, a public cluster with anonymous auth enabled is not a problem (in fact, GKE and EKS employ this mode by default).

However, when the system:anonymous user or system:unauthenticated group is assigned non-default permissions, external unauthenticated users may abuse these permissions as they see fit, which may very well include malicious purposes.