---
title: "Restrict Binding System Groups"
diataxis: reference
applies_to:
  product: "kyverno"
audience: ["platform-engineer","devsecops"]
last_updated: 2026-03-25
url: https://docs.nirmata.io/docs/policy-sets/rbac_best_practices/restrict-binding-system-groups/
---


### Description

Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings for `system:masters` group.

### Risks

`system:masters` group is a built-in group in Kubernetes that provides unrestricted level of access to the Kubernetes API server.
Users who are members of this group have full cluster-admin rights to the cluster. Even if every cluster role and role is deleted from the cluster, users who are members of this group still retain full access to the cluster. `system:masters` is a break-glass, super user group that bypasses the authorization layer (for example RBAC) and is not intended for general cluster administration.

### Kyverno Policy

Refer to the Nirmata curated policies - [restrict-binding-system-groups](https://github.com/nirmata/kyverno-policies/blob/main/rbac-best-practices/restrict-binding-system-groups/restrict-binding-system-groups.yaml).

#### Resource Example

Below is an example of a `ClusterRoleBinding` resource that does not bind to the `system:masters` role.

```bash
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: goodcrb02
subjects:
- kind: ServiceAccount
  namespace: foo
  name: foo-reader
roleRef:
  kind: ClusterRole
  name: manager
  apiGroup: rbac.authorization.k8s.io
```

Below is an example of a `RoleBinding` resource that does not bind to the `system:masters` group.

```bash
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: goodrb01
subjects:
- kind: User
  name: foo
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: foo-bar
  apiGroup: rbac.authorization.k8s.io
```text