Cluster-admin restricted
Description
ClusterRoleBindings to cluster-admin should be restricted to limited identities (cluster operators only).
⚠️ Risk Impact
cluster-admin is full K8s superuser. Granted broadly = single-credential-compromise gives total cluster control.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Audit ClusterRoleBindings: kubectl get clusterrolebindings -o yaml | grep cluster-admin. Replace with namespace-scoped roles for application workloads.
💀 Real-World Attack Scenario
A CI/CD pipeline's service account was granted cluster-admin 'temporarily' during a debugging session. The grant persisted for 8 months. When the pipeline was compromised via malicious notebook upload, attacker had cluster-admin from the first minute. Total impact: $4.2M.
💰 Cost of Non-Compliance
Over-privileged service accounts: 4.6× higher breach impact (IBM 2024).
📋 Audit Questions
- 1.Who has cluster-admin?
- 2.Justification per identity?
- 3.Service accounts with cluster-admin?
- 4.Audit cadence?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Temporary cluster-admin that becomes permanent
- ⛔Auto-generated default SA tokens auto-mounted
- ⛔Wildcard verbs in RoleBindings
📈 Business Value
Restricting cluster-admin contains the worst-case K8s breach scenario.
⏱️ Effort Estimate
Quarterly review
EchelonGraph audits cluster-admin grants continuously
🔗 Cross-Framework References
Automate CIS Kubernetes 5.1.6 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →