Restrict Binding System Groups
Description
Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings for system:masters
group.
Kyverno Policy
Refer to the Nirmata curated policies - restrict-binding-system-groups.
Resource Example
Below is an example of a ClusterRoleBinding
resource that does not bind to the system:masters
role.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: goodcrb02
subjects:
- kind: ServiceAccount
namespace: foo
name: foo-reader
roleRef:
kind: ClusterRole
name: manager
apiGroup: rbac.authorization.k8s.io
Below is an example of a RoleBinding
resource that does not bind to the system:masters
group.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: goodrb01
subjects:
- kind: User
name: foo
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: foo-bar
apiGroup: rbac.authorization.k8s.io