-
Epic
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
None
-
Investigate reducing permissions to anonymous user
-
False
-
None
-
False
-
Not Selected
-
To Do
-
0
-
0%
RedHat allows following roles for system:anonymous user and system:unauthenticated group:
oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.kind
== "Group" and .subjects[]?.name == "system:unauthenticated") |
.metadata.name' | uniq
Returns what unauthenticated users can do, which is the following:
"self-access-reviewers"
"system:oauth-token-deleters"
"system:openshift:public-info-viewer"
"system:public-info-viewer"
"system:scope-impersonation"
"system:webhooks"
Customers would like to minimize the allowed permissions to unauthenticated groups and users.
Workaround available: Gating the access with policy engines
Outcome: Minimize the allowed roles for unauthenticated access
Goals of spike:
- Investigate impact of disabling the roles listed above for new and existing clusters
- Document risks and feasibility
- is blocked by
-
OCPBUGS-33378 Builds TestWebhook failed on step testing unauthenticated forbidden on upgrade
-
- ON_QA
-
- is related to
-
-
- POST
-
- relates to
-
RFE-5312 Minimize permissions for unauthenticated user access to apiserver
-
- Under Review
-
- links to
