Cluster Admin Rolebinding With Superuser Permissions

Query id: 249328b8-5f0f-409f-b1dd-029f07882e11
Query name: Cluster Admin Rolebinding With Superuser Permissions
Platform: Kubernetes
Severity: Low
Category: Access Control
URL: Github

Description¶

Ensure that the cluster-admin role is only used where required (RBAC)
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - yaml file

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-clusterrolebinding
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

Code samples without security vulnerabilities¶

Negative test num. 1 - yaml file

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: ""
# trigger validation