The ‘cluster-admin’ role should not be used

Description

The ‘cluster-admin’ role comes with super-user level access which can be used to manipulate all resources in the cluster. Avoid using this role unless it’s absolutely necessary.

Remediation Steps

Kubernetes Manifest (YAML)

  • Ensure that ClusterRoleBinding resource type does not have a roleRef where name is set to cluster-admin.

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-rolebinding
subjects:
- kind: ServiceAccount
  name: test
  namespace: test-ns
roleRef:
  kind: ClusterRole
  name: not-cluster-admin
  apiGroup: rbac.authorization.k8s.io