gcp-k8s-legacy-rbac-on

Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters

Older versions of Kubernetes (before 1.8) allowed use of a now deprecated mechanism called Attribute-Based Access Control (ABAC). It has since been replaced by a full-featured Role-Based Access Control (RBAC), and thus, you should make sure to disable the old mechanism, which is unsupported, and enable the new RBAC.

Examples

Insecure Example

resource "google_container_cluster" "k8s-cluster" {
  name     = "my-gke"
  location = "us-central1"

  initial_node_count = 1

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

  enable_legacy_abac = true
}

Secure Example

resource "google_container_cluster" "k8s-cluster" {
  name     = "my-gke"
  location = "us-central1"

  initial_node_count = 1

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

  min_master_version = 1.8 # This will ensure you have a recent version that has RBAC
  # You can simply omit this flag as it defaults to false
}

More information

• GCP Docs
• Terraform Docs