feat(rules): add anonymous-access-enabled to framework

controls/C-0262-anonymousaccessisenabled.json

@@ -0,0 +1,15 @@
+{
+    "controlID": "C-0262",
+    "name": "Anonymous access enabled",
+    "description": "Granting permissions to the system:unauthenticated or system:anonymous user is generally not recommended and can introduce security risks. Allowing unauthenticated access to your Kubernetes cluster can lead to unauthorized access, potential data breaches, and abuse of cluster resources.",
+    "remediation": "Review and modify your cluster's RBAC configuration to ensure that only authenticated and authorized users have appropriate permissions based on their roles and responsibilities within your system.",
+    "test": "Checks if ClusterRoleBinding/RoleBinding resources give permissions to anonymous user. Also checks in the apiserver if the --anonymous-auth flag is set to false",
+    "attributes": {
+        "armoBuiltin": true
+    },
+    "rulesNames": [
+        "ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false",
+        "anonymous-access-enabled"
+    ],
+    "baseScore": 5
+}

frameworks/allcontrols.json

@@ -371,6 +371,12 @@
             "patch": {
                 "name": "CVE-2022-47633-kyverno-signature-bypass"
             }
+        },
+        {   
+            "controlID": "C-0262",
+            "patch": {
+                "name": "Anonymous access enabled"
+            }
         }
     ]
 }

frameworks/security.json

@@ -97,6 +97,12 @@
             "patch": {
                 "name": "Apply Security Context to Your Pods and Containers"
             }
+        },
+        {   
+            "controlID": "C-0262",
+            "patch": {
+                "name": "Anonymous access enabled"
+            }
         }
     ]
 }

rules/anonymous-access-enabled/raw.rego

@@ -0,0 +1,30 @@
+package armo_builtins
+
+# Fails is rolebinding/clusterrolebinding gives permissions to anonymous user
+deny[msga] {
+    rolebindings := [rolebinding | rolebinding = input[_]; endswith(rolebinding.kind, "Binding")]
+    rolebinding := rolebindings[_]
+
+    isAnonymous(rolebinding)
+
+    msga := {
+        "alertMessage": sprintf("the following RoleBinding: %v gives permissions to anonymous users", [rolebinding.metadata.name]),
+        "alertScore": 9,
+        "packagename": "armo_builtins",
+        "alertObject": {
+            "k8sApiObjects": [rolebinding]
+        }
+    }
+}
+
+
+isAnonymous(binding) {
+    subject := binding.subjects[_]
+    subject.name == "system:anonymous"
+}
+
+
+isAnonymous(binding) {
+    subject := binding.subjects[_]
+    subject.name == "system:unauthenticated"
+}

rules/anonymous-access-enabled/rule.metadata.json

@@ -0,0 +1,25 @@
+{
+    "name": "anonymous-access-enabled",
+    "attributes": {
+        "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+        {
+            "apiGroups": [
+                "rbac.authorization.k8s.io"
+            ],
+            "apiVersions": [
+                "v1"
+            ],
+            "resources": [
+                "RoleBinding",
+                "ClusterRoleBinding"
+            ]
+        }
+    ],
+    "ruleDependencies": [],
+    "description": "Fails in case anonymous access is enabled on the cluster",
+    "remediation": "Disable anonymous access by passing the --anonymous-auth=false flag to the kube-apiserver component, or if it's a managed cluster, you can remove any RBAC rules which allow anonymous users to perform actions",
+    "ruleQuery": "armo_builtins"
+}

rules/anonymous-access-enabled/test/fail/expected.json

@@ -0,0 +1,24 @@
+[
+    {
+        "alertMessage": "the following RoleBinding: system:public-info-viewer gives permissions to anonymous users",
+        "failedPaths": null,
+        "fixPaths": null,
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 9,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "rbac.authorization.k8s.io/v1",
+                    "kind": "ClusterRoleBinding",
+                    "metadata": {
+                        "labels": {
+                            "kubernetes.io/bootstrapping": "rbac-defaults"
+                        },
+                        "name": "system:public-info-viewer"
+                    }
+                }
+            ]
+        }
+    }
+]

rules/anonymous-access-enabled/test/fail/input/clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:public-info-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:public-info-viewer
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:authenticated
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:unauthenticated

rules/anonymous-access-enabled/test/success/expected.json

@@ -0,0 +1 @@
+[]

rules/anonymous-access-enabled/test/success/input/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name:  pod
+  namespace: default
+subjects:
+- kind: User  
+  name: jane 
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role 
+  name: pod-reader 
+  apiGroup: rbac.authorization.k8s.io