☑️ Prevent use of the system:masters group

The system:masters group has unrestricted access to the Kubernetes API hard-coded into the API server source code. An authenticated user who is a member of this group cannot have their access reduced, even if all bindings and cluster role bindings which mention it, are removed.

When combined with client certificate authentication, use of this group can allow for irrevocable cluster-admin level credentials to exist for a cluster.

Targeted objects by this rule (types of kind): RoleBinding / ClusterRoleBinding

Complexity: medium (What does this mean?)

Policy as code identifier: CIS_INVALID_VALUE_SYSTEM_MASTERS

This rule will fail

If the system:masters group is used:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: do-all
  namespace: default
subjects:
  - kind: User
    name: system:masters
    apiGroup: rbac.authorization.k8s.io

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent use of the system:masters group [1 occurrence]
💡 Invalid value for key `subjects[].name` - do not use the system:masters group to prevent unnecessary unrestriced access to the Kubernetes API

How to fix this failure

Use a different group:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: do-all
  namespace: default
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more