Kubernetes RBAC users are not managed with Google Groups for GKE
Description
Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign Kubernetes user roles to a collection of users, instead of to individual emails using only Cloud IAM. On- and off-boarding users is often difficult to automate and prone to error. Using a single source of truth for user permissions via G Suite Groups reduces the number of locations that an individual must be off-boarded from, and prevents users gaining unique permissions sets that increase the cost of audit.
Code Example
go
resource "google_container_cluster" "example" {
name = var.name
location = var.location
project = data.google_project.project.name
+ authenticator_groups_config{
+ security_group="[email protected]"
+ }Remediation
Terraform
- Resource: google_container_cluster
- Arguments: authenticator_groups_config.security_group
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0924 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_65 |