PlatformResourcesSign inSign Up

Ensure ABAC authorization on Kubernetes engine clusters is disabled

Error: ABAC authorization on Kubernetes engine clusters is enabled

Bridgecrew Policy ID: BC_GCP_KUBERNETES_2
Checkov Check ID: CKV_GCP_7
Severity: MEDIUM

Suggest Edits

ABAC authorization on Kubernetes engine clusters is enabled

Description

Kubernetes RBAC (Role-Based Access Control) can be used to grant permissions to resources at the cluster and namespace level. It allows defining roles with rules containing a set of permissions. RBAC has significant security advantages and is now stable in Kubernetes, superseding the benefits of legacy authorization with ABAC (Attribute-Based Access Control).

We recommend you disable ABAC authorization and use RBAC in GKE instead.

Fix - Buildtime

Terraform

resource "google_container_cluster" "primary" {
  name     = "my-gke-cluster"
  location = "us-central1"
  remove_default_node_pool = true
  initial_node_count       = 1
  logging_service = "logging.googleapis.com/kubernetes"
  enable_legacy_abac = false
}

Updated about 2 months ago