Anonymous access unexpectedly granted to a Kubernetes cluster
Description
AlphaSOC detected that anonymous access has been enabled on a Kubernetes cluster. This indicates that an authenticated account has modified the cluster's control plane configuration, allowing API calls to be made anonymously. Enabling anonymous access bypasses standard authentication mechanisms, posing a significant security risk by potentially exposing sensitive resources to unauthorized access.
Impact
Anonymous access to Kubernetes clusters allows adversaries to view, modify, or delete cluster resources without authentication. Threat actors can leverage this access to deploy unauthorized workloads, access sensitive resources, and exploit other parts of the infrastructure. This exposure creates opportunities for data breaches, resource hijacking, and service disruption.
Severity
| Severity | Condition |
|---|---|
Low | Anonymous access granted to a Kubernetes cluster |
Medium | Unexpected anonymous access granted |
Investigation and Remediation
Examine Kubernetes audit logs for unauthorized API requests and resource access. Review RBAC configurations and service account permissions. Implement strict authentication requirements for all API access. Deploy network policies to restrict cluster access. Revoke compromised service account tokens. Monitor for unauthorized resource creation or modification.