Detections
Analytics
Ensure that the cluster-admin role is only used where required
HIGH
Description
Description:
The RBAC role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed.
Rationale:
Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as 'cluster-admin' provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as 'cluster-admin' allow super-user access to perform any action on any resource. When used in a 'ClusterRoleBinding', it gives full control over every resource in the cluster and in all namespaces. When used in a 'RoleBinding', it gives full control over every resource in the rolebinding's namespace, including the namespace itself.
Care should be taken before removing any 'clusterrolebindings' from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to 'clusterrolebindings' with the 'system:' prefix as they are required for the operation of system components.
Remediation
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role :
kubectl delete clusterrolebinding [name]
Policy Details
Frameworks
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA
CIS Kubernetes v1.4.0 Level 1
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Amazon Elastic Kubernetes Service (EKS) v1.1.0 Level 1
CIS Amazon Elastic Kubernetes Service (EKS) v1.3.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.1.0 Level 1
CIS Azure Kubernetes Service (AKS) v1.3.0 Level 1
NSA CISA Kubernetes Hardening Guide 1.0
CIS Google Kubernetes Engine (GKE) v1.2.0 Level 1 - Master Node
CIS Google Kubernetes Engine (GKE) v1.4.0 Level 1