iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 The cluster-admin role in Kubernetes grants full administrative access to the entire cluster, including the ability to modify all resources and perform any operation in the cluster. This check ensures that the cluster-admin role is only assigned to trusted administrators and service accounts, limiting its use to only those workloads or users that absolutely require it.

Rationale:
 The cluster-admin role has the highest level of permissions in Kubernetes and should be used sparingly. Overuse of this role can lead to potential security risks, as any user or service account with cluster-admin privileges can modify or disrupt critical resources. By limiting the use of this role, you reduce the attack surface and ensure that only those who need full administrative access have it.

Impact:

• Pros:
  

  • Enhances security by limiting the number of users or service accounts with full administrative privileges.
    

  • Reduces the risk of unintentional changes or disruptions to the cluster caused by users with excessive privileges.
    

• Cons:
  
  

  • Some users or service accounts may require elevated privileges to perform their duties, and limiting the cluster-admin role may require more granular permissions for certain tasks.
    

  • Increases the complexity of RBAC (Role-Based Access Control) management, as you need to ensure users are assigned only the necessary roles and permissions.
    

Default Value:
 By default, the cluster-admin role is granted to certain users or service accounts that need full access to the cluster. It is important to ensure that this role is assigned only to users or service accounts that require it.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) is enabled and properly configured in the cluster. Use RoleBindings and ClusterRoleBindings to assign the cluster-admin role only where necessary.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
   

2. Review the Role-Based Access Control (RBAC) settings and check the ClusterRoleBindings to see which users or service accounts have been granted the cluster-admin role.
   

3. Ensure that cluster-admin is only assigned to trusted users or administrators who require full access to the cluster.
   

Using Azure CLI:

1. Use the following command to list all ClusterRoleBindings that grant the cluster-admin role:

kubectl get clusterrolebindings --all-namespaces -o=jsonpath='{.items[?(@.roleRef.name=="cluster-admin")].subjects[*].name}'

2. Ensure that only trusted users or service accounts are listed.

3. Check the permissions for specific ClusterRoleBindings to ensure the cluster-admin role is assigned only to users or service accounts that require full administrative access:

kubectl describe clusterrolebinding <binding-name>

Implementation Plan:

Using Azure Console:

1. In the Azure portal, go to Azure Kubernetes Service (AKS) and navigate to Access Control (IAM) for managing permissions.
   

2. Review the ClusterRoleBindings and RoleBindings to identify any users or service accounts assigned the cluster-admin role.
   

3. Create more specific RBAC roles for users who require less than full administrative access.
   

Using Azure CLI:

1. To limit the cluster-admin role, first check which users are assigned the role:

kubectl get clusterrolebindings --all-namespaces -o=jsonpath='{.items[?(@.roleRef.name=="cluster-admin")].subjects[*].name}'

2. Remove the cluster-admin role from any unnecessary users:

kubectl delete clusterrolebinding <binding-name>

3. Create specific ClusterRoles with limited permissions for users who do not need full administrative access:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: limited-admin
rules:
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "create", "update", "delete"]

4. Apply the updated ClusterRole and ClusterRoleBinding:

kubectl apply -f limited-admin-role.yaml
kubectl create clusterrolebinding <binding-name> --clusterrole=limited-admin --user=<user-name>

Backout Plan:

Using Azure Console:

1. If restricting the cluster-admin role causes issues, revert the changes by re-assigning the cluster-admin role to the affected users or service accounts in the Azure portal.
   

Using Azure CLI:

If restricting cluster-admin access causes issues, revert the changes by adding the affected user or service account back to the cluster-admin role:

kubectl create clusterrolebinding <binding-name> --clusterrole=cluster-admin --user=<user-name>

References:

1. Kubernetes RBAC Documentation
   

2. Azure Kubernetes Service (AKS) Role-Based Access Control
   

3. Kubernetes Best Practices for RBAC