Skip to main content

☑️ Prevent use of the system:masters group

The system:masters group has unrestricted access to the Kubernetes API hard-coded into the API server source code. An authenticated user who is a member of this group cannot have their access reduced, even if all bindings and cluster role bindings which mention it, are removed.

When combined with client certificate authentication, use of this group can allow for irrevocable cluster-admin level credentials to exist for a cluster.

Targeted objects by this rule (types of kind): RoleBinding / ClusterRoleBinding

Complexity: medium (What does this mean?)

Policy as code identifier: CIS_INVALID_VALUE_SYSTEM_MASTERS


This rule will fail​

If the system:masters group is used:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: do-all
namespace: default
subjects:
- kind: User
name: system:masters
apiGroup: rbac.authorization.k8s.io

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent use of the system:masters group [1 occurrence]
💡 Invalid value for key `subjects[].name` - do not use the system:masters group to prevent unnecessary unrestriced access to the Kubernetes API

How to fix this failure​

Use a different group:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: do-all
namespace: default
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io

Read more​