C-0246 - Avoid use of system:masters group
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-eks-t1.2.0
Severity
High
Description of the the issue
The system:masters group has unrestricted access to the Kubernetes API hard-coded into the API server source code. An authenticated user who is a member of this group cannot have their access reduced, even if all bindings and cluster role bindings which mention it, are removed.
When combined with client certificate authentication, use of this group can allow for irrevocable cluster-admin level credentials to exist for a cluster.
Related resources
What does this control test
The special group system:masters should not be used to grant permissions to any user or service account, except where strictly necessary (e.g. bootstrapping access prior to RBAC being fully available)
How to check it manually
Review a list of all credentials which have access to the cluster and ensure that the group system:masters is not used.
Remediation
Remove the system:masters group from all users in the cluster.
Impact Statement
Once the RBAC system is operational in a cluster system:masters should not be specifically required, as ordinary bindings from principals to the cluster-admin cluster role can be made where unrestricted access is required.
Default Value
By default some clusters will create a "break glass" client certificate which is a member of this group. Access to this client certificate should be carefully controlled and it should not be used for general cluster operations.
Example
No example
Updated about 1 month ago