Cluster Admin Rolebinding With Superuser Permissions

  • Query id: 17172bc2-56fb-4f17-916f-a014147706cd
  • Query name: Cluster Admin Rolebinding With Superuser Permissions
  • Platform: Terraform
  • Severity: Low
  • Category: Access Control
  • URL: Github

Description

Ensure that the cluster-admin role is only used where required (RBAC)
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file
resource "kubernetes_cluster_role_binding" "example2" {
  metadata {
    name = "terraform-example2"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  }
  subject {
    kind      = "User"
    name      = "admin"
    api_group = "rbac.authorization.k8s.io"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "default"
    namespace = "kube-system"
  }
  subject {
    kind      = "Group"
    name      = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "kubernetes_cluster_role_binding" "example1" {
  metadata {
    name = "terraform-example1"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster"
  }
  subject {
    kind      = "User"
    name      = "admin"
    api_group = "rbac.authorization.k8s.io"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "default"
    namespace = "kube-system"
  }
  subject {
    kind      = "Group"
    name      = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}