Restrict Binding System Groups

Description

Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings for system:masters group.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-binding-system-groups.

Resource Example

Below is an example of a ClusterRoleBinding resource that does not bind to the system:masters role.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: goodcrb02
subjects:
- kind: ServiceAccount
  namespace: foo
  name: foo-reader
roleRef:
  kind: ClusterRole
  name: manager
  apiGroup: rbac.authorization.k8s.io

Below is an example of a RoleBinding resource that does not bind to the system:masters group.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: goodrb01
subjects:
- kind: User
  name: foo
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: foo-bar
  apiGroup: rbac.authorization.k8s.io