Information
Legacy Authorization, also known as Attribute-Based Access Control (ABAC) has been superseded by Role-Based Access Control (RBAC) and is not under active development.RBAC is the recommended way to manage permissions in Kubernetes.
In Kubernetes, RBAC is used to grant permissions to resources at the cluster and namespace level. RBAC allows the definition of roles with rules containing a set of permissions, whilst the legacy authorizer (ABAC) in Kubernetes Engine grants broad, statically defined permissions. As RBAC provides significant security advantages over ABAC, it is recommended option for access control. Where possible, legacy authorization must be disabled for GKE clusters.
Solution
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list
- Select Kubernetes clusters for which Legacy Authorization is enabled.
- Click EDIT.
- Set 'Legacy Authorization' to 'Disabled'.
- Click SAVE.
Using Command Line:
To disable Legacy Authorization for an existing cluster, run the following command:
gcloud container clusters update <cluster_name> --zone <compute_zone> --no-enable-legacy-authorization
Impact:
Once the cluster has the legacy authorizer disabled, the user must be granted the ability to create authorization roles using RBAC to ensure that the role-based access control permissions take effect.