Profile applicability: Level 1 - Master Node
The RBAC role
cluster-admin provides wide-ranging powers over the environment
and should be used only where and when needed.Kubernetes provides a set of default roles where RBAC is used. Some of these roles
such as
cluster-admin provide wide-ranging privileges which should only be applied
where absolutely necessary. Roles such as cluster-admin allow super-user access
to perform any action on any resource. When used in a ClusterRoleBinding, it
gives full control over every resource in the cluster and in all namespaces. When
used in a
RoleBinding, it gives full control over every resource in the rolebinding's
namespace, including the namespace itself. |
NoteBy default, a single
clusterrolebinding called cluster-admin
is provided with the system:masters group as its principal. |
Impact
Care should be taken before removing any
clusterrolebindings from the
environment to ensure they were not required for operation of the cluster. Specifically,
modifications should not be made to clusterrolebindings with the
system: prefix as they are required for the operation of system
components.Audit
Obtain a list of the principals who have access to the
cluster-admin role by
reviewing the clusterrolebinding output for each role binding that has access
to the cluster-admin role.kubectl get clusterrolebindings -o=custom- columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name
Review each principal listed and ensure that
cluster-admin privilege is
required for it.Remediation
Identify all
clusterrolebindings to the cluster-admin role.
Check if they are used and if they need this role or if they could use a role with
fewer
privileges.Where possible, first bind users to a lower privileged role and then remove the
clusterrolebinding to the cluster-admin role :kubectl delete clusterrolebinding [name]