Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable Legacy Authorization

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that legacy authorization (also known as Attribute-Based Access Control or ABAC) is disabled for your Google Kubernetes Engine (GKE) clusters in order to guarantee compatibility with Role-Based Access Control (RBAC). RBAC provides more granular and easier-to-manage access control, which enhances security and reduces the risk of misconfigurations. RBAC is now the recommended method for managing permissions in Kubernetes.

Security

RBAC offers significant security advantages over ABAC in Google Kubernetes Engine (GKE) because it simplifies permission management by assigning roles to users or service accounts, limiting access based on predefined roles. This reduces the complexity of security policies and ensures more granular, easier-to-manage access control, making it less prone to misconfigurations compared to ABAC. When legacy authorization (i.e., ABAC) is enabled, user rights are granted through policies that combine attributes, which prevents RBAC support. Disable legacy authorization (ABAC) to switch to RBAC permissions.

Audit

To determine if legacy authorization is enabled or disabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, check the Legacy authorization attribute value to determine the feature status. If Legacy authorization is set to Enabled, legacy authorization is not disabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to describe the Legacy Authorization (ABAC) feature status, available for the selected cluster: 

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="value(legacyAbac.enabled)"

06 The command output should return the requested feature status (True for enabled, False for disabled): 

True

If the container clusters describe command output returns True, as shown in the output example above, legacy authorization is not disabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Legacy authorization (i.e., Attribute-Based Access Control or ABAC) has been replaced by Role-Based Access Control (RBAC) and is no longer recommended. To disable legacy authorization for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, click on the Edit legacy authorization button (i.e., pencil icon) available next to Legacy authorization to modify the feature settings.

08 Inside the Edit legacy authorization configuration box, uncheck the Enable legacy authorization setting checkbox to disable legacy authorization for your Google Kubernetes Engine (GKE) cluster. Choose SAVE CHANGES to apply the changes.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to turn off legacy authorization for the selected GKE cluster. This will disable Attribute-Based Access Control (ABAC) in favor of Role-Based Access Control (RBAC): 

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--no-enable-legacy-authorization

02 The command output should return the full URL of the modified GKE cluster: 

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Dec 2, 2024

Related GKE rules