lacework-global-777
Disable Legacy Attribute-Based Access Control (ABAC) (Automated)
Description
Role-Based Access Control (RBAC) supersedes Legacy Authorization, also known as Attribute-Based Access Control (ABAC). ABAC is not under active development. RBAC is the recommended way to manage permissions in Kubernetes.
Remediation
Using Google Cloud Console
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Select Kubernetes clusters with
Legacy Authorization
enabled. - Click
Edit
. - Set
Legacy Authorization
toDisabled
. - Click
Save
.
Using Command Line:
To disable Legacy Authorization for an existing cluster, run the following command:
gcloud container clusters update <cluster_name> --zone <compute_zone> --no-enable-legacy-authorization
References
https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110
Additional Information
On clusters running Google Kubernetes Engine (GKE) 1.6 or 1.7, Kubernetes Service accounts have full permissions on the Kubernetes API by default.
To ensure that the role-based access control permissions take effect for a Kubernetes service account, you must create or update the cluster with the option --no-enable-legacy-authorization
.
This requirement does not apply to clusters running GKE version 1.8 or higher.