Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5312

Minimize permissions for unauthenticated user access to apiserver

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • openshift-apiserver
    • None
    • False
    • None
    • False
    • Not Selected

       RedHat allows following roles for system:anonymous user and system:unauthenticated group: 

      oc get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.kind

      == "Group" and .subjects[]?.name == "system:unauthenticated") |

      .metadata.name' | uniq

      Returns what unauthenticated users can do, which is the following:

      "self-access-reviewers"

      "system:oauth-token-deleters"

      "system:openshift:public-info-viewer"

      "system:public-info-viewer"

      "system:scope-impersonation"

      "system:webhooks"

      Customers would like to minimize the allowed permissions to unauthenticated groups and users. 

      Workaround available: Gating the access with policy engines 

      Expected: Minimize the allowed roles for unauthenticated access 

            atelang@redhat.com Anjali Telang
            atelang@redhat.com Anjali Telang
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: