Ensure ABAC authorization on Kubernetes engine clusters is disabled
Error: ABAC authorization on Kubernetes engine clusters is enabled
Bridgecrew Policy ID: BC_GCP_KUBERNETES_2
Checkov Check ID: CKV_GCP_7
Severity: MEDIUM
ABAC authorization on Kubernetes engine clusters is enabled
Description
Kubernetes RBAC (Role-Based Access Control) can be used to grant permissions to resources at the cluster and namespace level. It allows defining roles with rules containing a set of permissions. RBAC has significant security advantages and is now stable in Kubernetes, superseding the benefits of legacy authorization with ABAC (Attribute-Based Access Control).
We recommend you disable ABAC authorization and use RBAC in GKE instead.
Fix - Buildtime
Terraform
resource "google_container_cluster" "primary" {
name = "my-gke-cluster"
location = "us-central1"
remove_default_node_pool = true
initial_node_count = 1
logging_service = "logging.googleapis.com/kubernetes"
enable_legacy_abac = false
}
Updated 8 months ago