C-0185 - Ensure that the cluster-admin role is only used where required
cis-v1.23-t1.0.1, cis-eks-t1.2.0, cis-aks-t1.2.0
Description of the the issue
Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as
cluster-admin provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as
cluster-admin allow super-user access to perform any action on any resource. When used in a
ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a
RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.
ClusterRole, ClusterRoleBinding, Role
What does this control test
Check which subjects have are bound to the cluster-admin role with a clusterrolebinding.
How to check it manually
Obtain a list of the principals who have access to the
cluster-admin role by reviewing the
clusterrolebinding output for each role binding that has access to the
kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name
Review each principal listed and ensure that
cluster-admin privilege is required for it.
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
Care should be taken before removing any
clusterrolebindings from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to
clusterrolebindings with the
system: prefix as they are required for the operation of system components.
By default a single
cluster-admin is provided with the
system:masters group as its principal.
Updated 8 days ago