lacework-global-331
4.1.1 Ensure that the cluster-admin role is only used where required (Automated)
This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
The Role-Based Access Control (RBAC) role cluster-admin
provides wide-ranging powers over the environment. Use this role only where and when needed.
Rationale
Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as cluster-admin
provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as cluster-admin
allow super-user access to perform any action on any resource. When used in a ClusterRoleBinding
, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding
, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.
Impact
Care should be taken before removing any clusterrolebindings
from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to clusterrolebindings
with the system:
prefix as they are required for the operation of system components.
Audit
Obtain a list of the principals who have access to the cluster-admin
role by reviewing the clusterrolebinding
output for each role binding that has access to the cluster-admin
role.
kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name
Review each principal listed and ensure that cluster-admin
privilege is required for it.
Remediation
Obtain a list of the principals that have access to the cluster-admin
role. You can do this by reviewing the clusterrolebinding
output for each role binding that has access to the cluster-admin role:
kubectl get clusterrolebindings -o="custom-columns=Name:.metadata.name,Role:.roleRef.name,Subject:.subjects[*].name"
Review each principal listed and ensure that you require the cluster-admin privilege for it.
References
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles