Cluster Admin Rolebinding With Superuser Permissions

• Query id: 17172bc2-56fb-4f17-916f-a014147706cd
• Query name: Cluster Admin Rolebinding With Superuser Permissions
• Platform: Terraform
• Severity: Low
• Category: Access Control
• URL: Github

Description

Ensure that the cluster-admin role is only used where required (RBAC)
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "kubernetes_cluster_role_binding" "example2" {
  metadata {
    name = "terraform-example2"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster-admin"
  }
  subject {
    kind      = "User"
    name      = "admin"
    api_group = "rbac.authorization.k8s.io"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "default"
    namespace = "kube-system"
  }
  subject {
    kind      = "Group"
    name      = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "kubernetes_cluster_role_binding" "example1" {
  metadata {
    name = "terraform-example1"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "cluster"
  }
  subject {
    kind      = "User"
    name      = "admin"
    api_group = "rbac.authorization.k8s.io"
  }
  subject {
    kind      = "ServiceAccount"
    name      = "default"
    namespace = "kube-system"
  }
  subject {
    kind      = "Group"
    name      = "system:masters"
    api_group = "rbac.authorization.k8s.io"
  }
}