Are there security implication when granting system:service-account-issuer-discovery for system:unauthenticated in OpenShift Container Platform 4

Solution Verified - Updated -

Issue

  • We were requested to apply the below change on our platform and we now would like to know if we may hit security implication / risk when granting the below ClusterRole to system:unauthenticated.

    kubectl create clusterrolebinding oidc-reviewer \
  --clusterrole=system:service-account-issuer-discovery \
  --group=system:unauthenticated

  • oidc-reviewer needs system:unauthicated.

  • Are there concerns with regards to security when granting system:service-account-issuer-discovery for system:unauthenticated?

Environment

  • Red Hat OpenShift Container Platform (RHOCP) 4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content