For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-cluster-admin-role-binding-with-super-user-permissions.md. A documentation index is available at /llms.txt.

Cluster admin rolebinding with superuser permissions

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-cluster-admin-role-binding-with-super-user-permissions

Platform: Kubernetes

Severity: Low

Category: Access Control

Learn More

Description

Ensure that the cluster-admin role is used only where required (RBAC). This rule detects ClusterRoleBinding resources that bind to the cluster-admin role, which grants superuser permissions across the cluster. Such bindings increase risk and should be limited to adhere to the principle of least privilege.

Compliant Code Examples

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: ""
# trigger validation

Non-Compliant Code Examples

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-clusterrolebinding
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""