lacework-global-777

Disable Legacy Attribute-Based Access Control (ABAC) (Automated)

Description

Role-Based Access Control (RBAC) supersedes Legacy Authorization, also known as Attribute-Based Access Control (ABAC). ABAC is not under active development. RBAC is the recommended way to manage permissions in Kubernetes.

Remediation

Using Google Cloud Console

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
Select Kubernetes clusters with Legacy Authorization enabled.
Click Edit.
Set Legacy Authorization to Disabled.
Click Save.

Using Command Line:

To disable Legacy Authorization for an existing cluster, run the following command:

gcloud container clusters update <cluster_name> --zone <compute_zone> --no-enable-legacy-authorization

References

https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110

Additional Information

On clusters running Google Kubernetes Engine (GKE) 1.6 or 1.7, Kubernetes Service accounts have full permissions on the Kubernetes API by default. To ensure that the role-based access control permissions take effect for a Kubernetes service account, you must create or update the cluster with the option --no-enable-legacy-authorization. This requirement does not apply to clusters running GKE version 1.8 or higher.

Disable Legacy Attribute-Based Access Control (ABAC) (Automated)​

Description​

Remediation​

References​

Additional Information​

Disable Legacy Attribute-Based Access Control (ABAC) (Automated)

Description

Remediation

References

Additional Information