RHACS scan fails because of multiple user or group subjects with cluster-admin-level access.
Environment
- Red Hat Advanced Cluster Security for Kubernetes (RHACS)
- 4.x
Issue
An ACS scan fails because of multiple user or group subjects with cluster-admin-level access.
Warning:
(Fail) Multiple User or Group subjects were found with cluster-admin-level access. Typically, a single Group subject is most appropriate.
The reported roles are default roles:
Name Role ref Sub kind Subject name Namespace
cluster-admins cluster-admin User system:admin All namespaces **
system-masters system:master Group system:masters All namespaces
** Comes from:
Name: cluster-admin
Group: system:masters
Label: kubernetes.io/bootstrapping=rbac-defaults
Resolution
The check is performing as designed. There are no exclusions.
Root Cause
These groups are created at bootstrap and no users were ever saved as an object, they are authenticated via cert and the subject values.
Diagnostic Steps
For a list of usernames associated with the cluster-admin and system:masters roles run the following:
$ oc get clusterrolebinding -o json | jq '.items[] | select(.metadata.name | startswith("cluster-admin")) | .userNames'
$ oc get clusterrolebinding -o json | jq '.items[] | select(.metadata.name=="system:masters") | .userNames'
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments