Vendor services misconfigurations

GKE using Legacy Authorization (ABAC)

Risk Level

Informational (4)

Platform(s)
Compliance Frameworks

Description

Legacy Authorization, also known as Attribute-Based Access Control (ABAC) has been superseded by Role-Based Access Control (RBAC) and is not under active development. RBAC is the recommended way to manage permissions in Kubernetes. It was detected that {GcpGkeCluster} uses ABAC instead of RBAC.
  • Recommended Mitigation

    It is recommended to disable Legacy Authorization on {GcpGkeCluster}. For more info: <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control," target="_blank" rel="noopener noreferrer">https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control,</a> <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110" target="_blank" rel="noopener noreferrer">https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110</a>