Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes.
Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.IAM.10
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
GkeCluster should have legacyAbac.enabled=false
REMEDIATION
From Portal
- Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
- Select reported Kubernetes clusters for which Legacy Authorization is enabled
- Click on EDIT button and Set 'Legacy Authorization' to Disabled
From TF
Set the 'enable_legacy_abac' to be equal to false:
resource "google_container_cluster" "primary" {
...
"enable_legacy_abac" = false
...
}
From Command Line
To disable the legacy-authorization, Run:
gcloud container clusters update CLUSTER_NAME --project=PROJECT --zone ZONE --no-enable-legacy-authorization
References
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control?hl=en_US
- https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-container-cluster
Kubernetes Cluster
Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.
Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Foundations v. 1.0.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago