Tags
K8s
ATT&CK Tactic
Initial Access (TA0001)
Incidents
Last edited
May 28, 2024 5:47 PM
Status
Stub
Defenses
With anonymous auth enabled, every unauthenticated user interacting with a K8s cluster API is assigned system:anonymous
user in system:unauthenticated
group. This user has only minimal permissions to operate on cluster resources; for example, list cluster version by accessing /version
endpoint.
Therefore, on its own, a public cluster with anonymous auth enabled is not a problem (in fact, GKE and EKS employ this mode by default).
However, when the system:anonymous
user or system:unauthenticated
group is assigned non-default permissions, external unauthenticated users may abuse these permissions as they see fit, which may very well include malicious purposes.