Profile Applicability:
• Level 1
Description:
Ensure that the cluster-admin role in Kubernetes is assigned only to those who absolutely require it, as it provides wide-ranging privileges over the cluster.
Rationale:
Kubernetes provides a set of default roles, and the cluster-admin role grants super-user access to perform any action on any resource in the cluster. This role should be used with caution and only assigned to users or service accounts that require full control. Overuse of cluster-admin can lead to security risks, as it provides unrestricted access to cluster resources.
Impact:
Pros:
Restricting the use of cluster-admin improves security by reducing the number of users or service accounts with elevated privileges.
Reduces the attack surface by minimizing the exposure of sensitive resources.
Cons:
Care must be taken not to inadvertently break system functionality by incorrectly removing necessary cluster-admin bindings.
Requires careful role management to ensure that users who need elevated privileges are granted the correct roles.
Default Value:
By default, a clusterrolebinding named cluster-admin is provided with the system:masters group as its principal, which grants full control over all resources.
Pre-requisites:
Access to the Kubernetes cluster via kubectl.
Sufficient privileges to manage RBAC and review role bindings.
Remediation
Test Plan:
Using AWS Console:
Run the following command to obtain a list of principals who have access to the cluster-admin role:
kubectl get clusterrolebindings -o=customcolumns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name
Review the output to identify the users or service accounts that are assigned the cluster-admin role.
For each principal, determine if cluster-admin privileges are necessary, or if a lower-privileged role would be sufficient.
Using AWS CLI:
Use the same command above to get a list of clusterrolebindings for cluster-admin.
Review each principal listed to determine if the cluster-admin role is required for their duties.
Implementation Plan
Using AWS Console:
Identify the clusterrolebinding assignments to the cluster-admin role.
For users or service accounts that do not require full cluster-admin access, assign them to a lower-privileged role such as edit or view.
After assigning a more restrictive role, delete the clusterrolebinding for the cluster-admin role using the following command:
kubectl delete clusterrolebinding [name]
Ensure system components that require cluster-admin access (e.g., system:masters) are not modified, as this could break cluster functionality.
Using AWS CLI:
Review the clusterrolebinding output for users and service accounts assigned the cluster-admin role.
Create a new role with fewer privileges and bind users or service accounts to the new role.
Delete the clusterrolebinding for cluster-admin:
kubectl delete clusterrolebinding [name]
Ensure the changes do not interfere with essential system components.
Backout Plan
Using AWS Console:
If removing a clusterrolebinding causes issues, re-create the clusterrolebinding for the user or service account using the original cluster-admin settings.
Review the necessary permissions and reassign them if needed.
Using AWS CLI:
Revert the clusterrolebinding changes by re-adding the binding for the cluster-admin role:
kubectl create clusterrolebinding [name] --clusterrole=cluster-admin --user=[user]
Ensure that you apply the least privileged model to users, assigning only necessary roles.
References:
Kubernetes RBAC Authorization
Kubernetes RBAC Role Binding