Cluster Admin Rolebinding With Superuser Permissions

  • Query id: 249328b8-5f0f-409f-b1dd-029f07882e11
  • Query name: Cluster Admin Rolebinding With Superuser Permissions
  • Platform: Kubernetes
  • Severity: Low
  • Category: Access Control
  • URL: Github

Description

Ensure that the cluster-admin role is only used where required (RBAC)
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-clusterrolebinding
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: ""
# trigger validation