Profile Applicability:
Level 1
Description:
The cluster-admin role is a powerful role in Kubernetes that grants unrestricted access to the entire cluster. It should only be assigned to trusted users and service accounts who need full administrative access. This check ensures that the cluster-admin role is not overused and is only assigned to those who truly need it for cluster administration tasks.
Rationale:
Granting cluster-admin to unnecessary users or service accounts increases the attack surface of the cluster. The principle of least privilege should be followed, ensuring that users and service accounts are only granted the minimum permissions they need to perform their tasks. Restricting the use of cluster-admin helps mitigate the risk of privilege escalation and unauthorized access.
Impact:
Pros:
Enhances security by minimizing the number of users with full cluster access.
Reduces the potential impact of a compromised account with excessive permissions.
Cons:
Might require additional management of roles and responsibilities to ensure that the correct permissions are in place.
May add administrative overhead to ensure users and service accounts have appropriate roles.
Default Value:
By default, the cluster-admin role is assigned to the kubeconfig context for the initial administrator user. However, it should be restricted to avoid overuse.
Pre-requisites:
Ensure that Role-Based Access Control (RBAC) is properly configured in the Kubernetes cluster, and that proper access control practices are followed.
Remediation
Test Plan:
Using Azure Console:
Navigate to the Kubernetes cluster's RBAC settings.
Review the assignments of the cluster-admin role to ensure it is only assigned to authorized users.
Using Azure CLI:
Use the following command to list users with the cluster-admin role:
kubectl get clusterrolebindings -o yaml
Review the output to ensure that only necessary users or service accounts are assigned the cluster-admin role.
Implementation Plan:
Using Azure Console:
Review the role bindings in the Kubernetes RBAC configuration.
Ensure that the cluster-admin role is only assigned to authorized users or service accounts.
If needed, remove unnecessary assignments of the cluster-admin role and assign more appropriate roles.
Using Azure CLI:
To review and modify role bindings, use the following command to list cluster-admin role bindings:
kubectl get clusterrolebindings
Remove unnecessary cluster-admin assignments with the following command:
kubectl delete clusterrolebinding <binding-name>
Backout Plan:
Using Azure Console:
If the removal of the cluster-admin role causes issues, reassign the role to the necessary users or service accounts.
Using Azure CLI:
Revert any changes made by reassigning the cluster-admin role to the required users using the following command:
kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --user=<user-name>