Skip to main content

☑️ Prevent use of the `cluster-admin` role

Kubernetes provides a set of default roles where RBAC is used. Some of these roles such as cluster-admin provide wide-ranging privileges which should only be applied where absolutely necessary. Roles such as cluster-admin allow super-user access to perform any action on any resource.
When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.

Targeted objects by this rule (types of kind): RoleBinding / ClusterRoleBinding

Complexity: easy (What does this mean?)

Policy as code identifier: CIS_INVALID_ROLE_CLUSTER_ADMIN


This rule will fail​

If the cluster-admin role is used:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
roleRef:
kind: Role
name: cluster-admin

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent use of the `cluster-admin` role [1 occurrence]
💡 Incorrect value for key `name` - the RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where needed

How to fix this failure​

Use a more restrictive role:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
roleRef:
kind: Role
name: role:viewer

Read more​