Unauthenticated privileged access to Kubernetes API Server







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




The Kubernetes API server is the main entrypoint for users of the cluster, and is often directly exposed to the Internet. Unauthenticated privileged access to the Kubernetes API server will allow attackers to retrieve information from, and possibly modify the configuration of, the affected cluster.

Understanding Impact

Business Impact

Unauthenticated access to the Kubernetes API server can affect leak sensitive business information and allow attackers to compromise business applications running in the affected cluster.

Technical Impact

Access through RBAC or any other enabled authorization system, tied to the system:anonymous user and system:unauthenticated group gives rights to unauthenticated users (assuming the --anonymous-auth flag is set on the API server, which is the default). Privileges beyond the default should not be applied to these principals.

Identify affected resources

To check from an external viewpoint, API paths can be requested using a tool like curl. For example curl -k https://[IP]:[PORT]/api/v1/pods will test anonymous access to the pod list for the cluster.
Also, a review of RBAC items for clusterrolebindings which provide access to system:anonymous or system:unauthenticated will help, this can be done using a command like
kubectl get clusterrolebindings -o json | jq '.items[] | select(.subjects? // [] | any(.kind == "User" and .name == "system:anonymous" or .kind == "Group" and .name == "system:unauthenticated"))'
Similarly for RoleBindings, the following command can be used
kubectl get rolebindings -A -o json | jq '.items[] | select(.subjects? // [] | any(.kind == "User" and .name == "system:anonymous" or .kind == "Group" and .name == "system:unauthenticated"))'

Remediate vulnerable resources

Remove any unnecessary access from the system:anonymous user and system:unauthenticated group. This can be done by removing references to them from ClusterRoleBinding and RoleBinding objects.


Kubernetes RBAC good practices

kubernetes documentation

Kubernetes unauthenticated access

kubernetes documentation

Did you find this article helpful?