5.8.3 - Ensure Legacy Authorization (ABAC) is Disabled (Automated)

Views:

Profile applicability: Level 1

Legacy Authorization, also known as Attribute-Based Access Control (ABAC) has been superseded by Role-Based Access Control (RBAC) and is not under active development. RBAC is the recommended way to manage permissions in Kubernetes.

In Kubernetes, RBAC is used to grant permissions to resources at the cluster and namespace level. RBAC allows the definition of roles with rules containing a set of permissions, whilst the legacy authorizer (ABAC) in Kubernetes Engine grants broad, statically defined permissions. As RBAC provides significant security advantages over ABAC, it is recommended option for access control. Where possible, legacy authorization must be disabled for GKE clusters.

Note

Kubernetes Engine clusters running GKE version 1.8 and later disable the legacy authorization system by default, and thus role-based access control permissions take effect with no special action required.

Impact

Once the cluster has the legacy authorizer disabled, the user must be granted the ability to create authorization roles using RBAC to ensure that the role-based access control permissions take effect.

Audit

Using Google Cloud Console:

Go to Kubernetes Engine website.
From the list of clusters, click on each cluster to open the Details pane, and make sure 'Legacy Authorization' is set to Disabled.

Using Command Line:

To check Legacy Authorization status for an existing cluster, run the following command:

gcloud container clusters describe <cluster_name> --zone <compute_zone> 
--format json | jq '.legacyAbac'

The output should return null ({}) if Legacy Authorization is Disabled. If Legacy Authorization is Enabled, the above command will return true value.

Remediation

Using Google Cloud Console:

Go to Kubernetes Engine website.
Select Kubernetes clusters for which Legacy Authorization is enabled.
Click EDIT.
Set Legacy Authorization to Disabled.
Click SAVE.

Using Command Line:

To disable Legacy Authorization for an existing cluster, run the following command:

gcloud container clusters update <cluster_name> --zone <compute_zone> 
--no-enable-legacy-authorization

Additional Information:

On clusters running GKE 1.6 or 1.7, Kubernetes Service accounts have full permissions on the Kubernetes API by default. To ensure that the role-based access control permissions take effect for a Kubernetes service account, the cluster must be created or updated with the option --no-enable-legacy-authorization. This requirement is removed for clusters running GKE version 1.8 or higher.