detect anonymous permissions

[krol3]

Context

After creating a clusterrolebinding for the user system: anonymous, I didn't see it in the list of Risky report.

See the details :

kubectl create clusterrolebinding anonymous-xdemo --clusterrole=view --user=system: anonymous

[welcome-to-palo-alto-networks]

🎉 Thanks for opening your first issue here! Welcome to the community!

[yuvalavra]

I think it makes sense to add policies for the anonymous user & unauthenticated group.

Not sure on what to alert on though - do we flag any permission given to the anonymous user / grp? Should we have exceptions for harmless permissions that are commonly given to the them (given that’s actually a thing)? So a bit to sort out but I think that it’ll be a good addition.

I won’t get to implementing this soon so feel free to open a PR

[yuvalavra]

Given it some thought and it’s a bit tricky to implement as rbac-police is built to alert on risky permissions rather than risky users & groups. Might still be doable though.

Btw it’s possible to run with ‘—violations user,group’ to search for users & groups with risky permissions, including the anonymous user / group