You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This policy disallows using the passed list of groups as subjects in RoleBindings/ClusterRoleBindings.
Certain system groups provide access that is not needed outside of system operations. For example, any user who is a member of this group bypasses all RBAC rights checks and will always have unrestricted superuser access, which cannot be revoked by removing RoleBindings or ClusterRoleBindings. Another example is the system:unauthenticated group, which gives access to anyone who can contact the API server at a network level.
viccuad
changed the title
New policy: Disallow binding groups in RoleBindings/ClusterRoleBindings
New policy: Disallow binding groups in (Cluster)RoleBindings
Jan 2, 2024
Description
This policy disallows using the passed list of groups as subjects in RoleBindings/ClusterRoleBindings.
Certain system groups provide access that is not needed outside of system operations. For example, any user who is a member of this group bypasses all RBAC rights checks and will always have unrestricted superuser access, which cannot be revoked by removing RoleBindings or ClusterRoleBindings. Another example is the system:unauthenticated group, which gives access to anyone who can contact the API server at a network level.
Implements good practices from https://kubernetes.io/docs/concepts/security/rbac-good-practices/
Configuration
Examples
Given the following policy settings:
This RoleBinding would be rejected:
And this would be accepted:
The text was updated successfully, but these errors were encountered: