New policy: Disallow binding groups in (Cluster)RoleBindings

[viccuad]

Description

This policy disallows using the passed list of groups as subjects in RoleBindings/ClusterRoleBindings.

Certain system groups provide access that is not needed outside of system operations. For example, any user who is a member of this group bypasses all RBAC rights checks and will always have unrestricted superuser access, which cannot be revoked by removing RoleBindings or ClusterRoleBindings. Another example is the system:unauthenticated group, which gives access to anyone who can contact the API server at a network level.

Implements good practices from https://kubernetes.io/docs/concepts/security/rbac-good-practices/

Configuration

subjects: # empty by default
- system:masters
- system:unauthenticated
- system:anonymous

Examples

Given the following policy settings:

subjects: # empty by default
- system:masters

This RoleBinding would be rejected:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: do-all
  namespace: default
subjects:
  - kind: User
    name: system:masters
    apiGroup: rbac.authorization.k8s.io

And this would be accepted:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: do-all
  namespace: default
subjects:
  - kind: User
    name: jane
    apiGroup: rbac.authorization.k8s.io