Restrict Binding System Groups

Description

Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings for system:masters group.

Risks

system:masters group is a built-in group in Kubernetes that provides unrestricted level of access to the Kubernetes API server. Users who are members of this group have full cluster-admin rights to the cluster. Even if every cluster role and role is deleted from the cluster, users who are members of this group still retain full access to the cluster. system:masters is a break-glass, super user group that bypasses the authorization layer (for example RBAC) and is not intended for general cluster administration.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-binding-system-groups.

Resource Example

Below is an example of a ClusterRoleBinding resource that does not bind to the system:masters role.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: goodcrb02
subjects:
- kind: ServiceAccount
  namespace: foo
  name: foo-reader
roleRef:
  kind: ClusterRole
  name: manager
  apiGroup: rbac.authorization.k8s.io

Below is an example of a RoleBinding resource that does not bind to the system:masters group.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: goodrb01
subjects:
- kind: User
  name: foo
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: foo-bar
  apiGroup: rbac.authorization.k8s.io