1.6.1 Ensure that the cluster-admin role is only used where required

Information

The RBAC role 'cluster-admin' provides wide-ranging powers over the environment and should be used only where and when needed.

Rationale:

Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as 'cluster-admin' provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as 'cluster-admin' allow super-user access to perform any action on any resource. When used in a 'ClusterRoleBinding', it gives full control over every resource in the cluster and in all namespaces. When used in a 'RoleBinding', it gives full control over every resource in the rolebinding's namespace, including the namespace itself.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Remove any unneeded 'clusterrolebindings':

kubectl delete clusterrolebinding [name]

Impact:

Care should be taken before removing any `clusterrolebindings` from the environment to ensure they were not required for operation of the cluster. Specifically, modifications should not be made to `clusterrolebindings` with the `system:` prefix as they are required for the operation of system components.

See Also

https://workbench.cisecurity.org/files/2125

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|5.1

Plugin: Unix

Control ID: e9d996c9d563419984b015410474665f3c9cfa54e9b122ed548b699e3d14c6a8