GCP Kubernetes Engine Clusters Have Legacy Authorization Enabled

This policy identifies GCP Kubernetes Engine Clusters which have enabled legacy authorizer. The legacy authorizer in Kubernetes Engine grants broad and statically defined permissions to all cluster users. After legacy authorizer setting is disabled, RBAC can limit permissions for authorized users based on need.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters have Legacy Authorization enabled.
JSON Query:
$.resource[*].google_container_cluster.*.*[*].enable_legacy_abac anyTrue
Recommendation:
Recommended solution to disable GCP Kubernetes Engine Clusters Legacy Authorization.
Ensure that GCP Kubernetes Engine Clusters Legacy Authorization is disabled. Please make sure that if the template has "enable_legacy_abac", it is set to false.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "initial_node_count": 3, "location": "us-central1-a", "name": "marcellus-wallace", "enable_legacy_abac" : false } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to Kubernetes Engine (Left Panel).
  3. Select Kubernetes clusters.
  4. From the list of clusters, choose the reported cluster.
  5. Click on EDIT button.
  6. Set 'Legacy Authorization' to Disabled.
  7. Click on Save.

Compliance

There are 8 standards that are applicable to this policy:
  • HIPAA
  • NIST 800-53 Rev4
  • PCI DSS v3.2
  • SOC 2
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • ISO 27001:2013
  • CCPA 2018

Recommended For You