Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-509

Investigate reducing permissions for unauthenticated users for apiserver access

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • Investigate reducing permissions to anonymous user
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-1378 - Reduced the permissions for anonymous users and groups
    • OCPSTRAT-1378Reduced the permissions for anonymous users and groups
    • 0% To Do, 0% In Progress, 100% Done
    • Removed Functionality

      RedHat allows following roles for system:anonymous user and system:unauthenticated group: 

      oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.kind

      == "Group" and .subjects[]?.name == "system:unauthenticated") |

      .metadata.name' | uniq

      Returns what unauthenticated users can do, which is the following:

      "self-access-reviewers"

      "system:oauth-token-deleters"

      "system:openshift:public-info-viewer"

      "system:public-info-viewer"

      "system:scope-impersonation"

      "system:webhooks"

      Customers would like to minimize the allowed permissions to unauthenticated groups and users. 

      Workaround available: Gating the access with policy engines 

      Outcome: Minimize the allowed roles for unauthenticated access 

      Goals of spike:

      1. Investigate impact of disabling the roles listed above for new and existing clusters
      2. Document risks and feasibility 

            kostrows@redhat.com Krzysztof Ostrowski
            atelang@redhat.com Anjali Telang
            Deepak Punia Deepak Punia
            Andrea Hoffer Andrea Hoffer
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: