Skip to content

Ensure cluster roles are defined in the cluster

An XCCDF Rule

Description

RBAC is a critical feature in terms of security for Kubernetes and OpenShift. It enables administrators to segment the privileges granted to a service account, and thus allows us to limit the access to resources that they get. By defining cluster roles appropriately one is able to codify organizational policy. [1]

[1] https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/rbac.authorization.k8s.io/v1/clusterroles?limit=1000 API endpoint to the local /apis/rbac.authorization.k8s.io/v1/clusterroles?limit=1000 file.

Rationale

By defining RBAC cluster roles, one is able to limit the permissions given to a Service Account, and thus limit the blast radius that an account compromise would have.

ID
xccdf_org.ssgproject.content_rule_rbac_cluster_roles_defined
Severity
Medium
References
Updated