Skip to main content

KA-A002: RoleBinding grants cluster-admin role

Error Security

CIS Kubernetes Benchmark v1.8, Section 5.1.1: Ensure that the cluster-admin role is only used where required

Why This Matters

Binding the cluster-admin ClusterRole grants unrestricted access to all resources in all namespaces. CIS Kubernetes Benchmark 5.1.1 recommends ensuring that the cluster-admin role is only used where required. Use more restrictive roles instead.

How to Fix

Bind a more restrictive role instead of cluster-admin

Before (incorrect)

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

After (correct)

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

Rule Details

Rule Code
KA-A002
Severity
Error
Category
Security

Related Rules

KA-C001 Error

Container runs as privileged
KA-C002 Error

Privilege escalation allowed
KA-C005 Error

Running with UID 0 (root)
KA-C006 Error

Host PID namespace shared
KA-C007 Error

Host IPC namespace shared