Ensure roles are defined in the cluster

An XCCDF Rule

Description

RBAC is a critical feature in terms of security for Kubernetes and OpenShift. It enables administrators to segment the privileges granted to a service account, and thus allows us to limit the access to resources that they get. By defining roles appropriately one is able to codify organizational policy. [1]

[1] https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/rbac.authorization.k8s.io/v1/roles?limit=1000 API endpoint to the local /apis/rbac.authorization.k8s.io/v1/roles?limit=1000 file.

Rationale

By defining RBAC roles, one is able to limit the permissions given to a Service Account, and thus limit the blast radius that an account compromise would have.

ID: xccdf_org.ssgproject.content_rule_rbac_roles_defined
Severity: Medium
References: Req-7.1.1

CCE-86588-1
Updated: about 1 year ago