The ‘cluster-admin’ role should not be used¶
Description¶
The ‘cluster-admin’ role comes with super-user level access which can be used to manipulate all resources in the cluster. Avoid using this role unless it’s absolutely necessary.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that
ClusterRoleBinding
resource type does not have aroleRef
where name is set tocluster-admin
.
Example Configuration¶
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-rolebinding
subjects:
- kind: ServiceAccount
name: test
namespace: test-ns
roleRef:
kind: ClusterRole
name: not-cluster-admin
apiGroup: rbac.authorization.k8s.io