gcp-k8s-legacy-rbac-on¶
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
Older versions of Kubernetes (before 1.8) allowed use of a now deprecated mechanism called Attribute-Based Access Control (ABAC). It has since been replaced by a full-featured Role-Based Access Control (RBAC), and thus, you should make sure to disable the old mechanism, which is unsupported, and enable the new RBAC.
Examples¶
Insecure Example
resource "google_container_cluster" "k8s-cluster" {
name = "my-gke"
location = "us-central1"
initial_node_count = 1
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name
enable_legacy_abac = true
}
Secure Example
resource "google_container_cluster" "k8s-cluster" {
name = "my-gke"
location = "us-central1"
initial_node_count = 1
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name
min_master_version = 1.8 # This will ensure you have a recent version that has RBAC
# You can simply omit this flag as it defaults to false
}