☑️ Prevent use of the system:masters group
The system:masters group has unrestricted access to the Kubernetes API hard-coded into the API server source code. An authenticated user who is a member of this group cannot have their access reduced, even if all bindings and cluster role bindings which mention it, are removed.
When combined with client certificate authentication, use of this group can allow for irrevocable cluster-admin level credentials to exist for a cluster.
Targeted objects by this rule (types of kind
): RoleBinding / ClusterRoleBinding
Complexity: medium (What does this mean?)
Policy as code identifier: CIS_INVALID_VALUE_SYSTEM_MASTERS
This rule will fail
If the system:masters
group is used:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: do-all
namespace: default
subjects:
- kind: User
name: system:masters
apiGroup: rbac.authorization.k8s.io
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent use of the system:masters group [1 occurrence]
💡 Invalid value for key `subjects[].name` - do not use the system:masters group to prevent unnecessary unrestriced access to the Kubernetes API
How to fix this failure
Use a different group:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: do-all
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io