Ensure Legacy Authorization (ABAC) is Disabled

HIGH

Description

Description:

Legacy Authorization, also known as Attribute-Based Access Control (ABAC) has been superseded by Role-Based Access Control (RBAC) and is not under active development. RBAC is the recommended way to manage permissions in Kubernetes.

Rationale:

In Kubernetes, RBAC is used to grant permissions to resources at the cluster and namespace level. RBAC allows you to define roles with rules containing a set of permissions, whilst the legacy authorizer (ABAC) in Kubernetes Engine grants broad, statically defined permissions. As RBAC provides significant security advantages over ABAC, it is recommended option for access control. Where possible, legacy authorization must be disabled for GKE clusters.

Once the cluster has the legacy authorizer disabled, you must grant your user the ability to create authorization roles using RBAC to ensure that your role-based access control permissions take effect.

Remediation

Using Google Cloud Console

  1. Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
  2. Select Kubernetes clusters for which Legacy Authorization is enabled
  3. Click EDIT
  4. Set 'Legacy Authorization' to 'Disabled'
  5. Click SAVE.

Using Command Line

To disable Legacy Authorization for an existing cluster, run the following command:

gcloud container clusters update [CLUSTER_NAME]
--zone [COMPUTE_ZONE]
--no-enable-legacy-authorization