cluster-admin ClusterRole provides unlimited access to the Kubernetes API, therefore users and service accounts should not be allocated this ClusterRole.
Excessive access to the Kubernetes API increases the risk of data loss or unauthorized modification of application configuration or data.
cluster-admin ClusterRole is a built-in role provided by Kubernetes. It provides wildcard access to the API, which is not in-line with the principal of least privilege.
Identify affected resources
To check whether users have been assigned, review the
ClusterRoleBinding objects in the cluster for the
This can be done using a command like
kubectl get clusterrolebindings -o json | jq '.items | select(.roleRef.name == "cluster-admin")'
Remediate vulnerable resources
Create custom roles for all user access with the lowest possible level of access required. One option for this is to use audit2rbac to create RBAC objects based on audit logs.
Kubernetes RBAC good practices