Cluster Admin Rolebinding With Superuser Permissions
- Query id: 17172bc2-56fb-4f17-916f-a014147706cd
- Query name: Cluster Admin Rolebinding With Superuser Permissions
- Platform: Terraform
- Severity: Low
- Category: Access Control
- URL: Github
Description¶
Ensure that the cluster-admin role is only used where required (RBAC)
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
resource "kubernetes_cluster_role_binding" "example2" {
metadata {
name = "terraform-example2"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
kind = "User"
name = "admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
api_group = "rbac.authorization.k8s.io"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "kubernetes_cluster_role_binding" "example1" {
metadata {
name = "terraform-example1"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster"
}
subject {
kind = "User"
name = "admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "default"
namespace = "kube-system"
}
subject {
kind = "Group"
name = "system:masters"
api_group = "rbac.authorization.k8s.io"
}
}