Back to Policies

Restrict Binding System Groups

Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-binding-system-groups
  annotations:
    policies.kyverno.io/title: Restrict Binding System Groups
    policies.kyverno.io/category: Security, EKS Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: RoleBinding, ClusterRoleBinding, RBAC
    kyverno.io/kyverno-version: 1.8.0
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: Certain system groups exist in Kubernetes which grant permissions that are used for certain system-level functions yet typically never appropriate for other users. This policy prevents creating bindings to some of these groups including system:anonymous, system:unauthenticated, and system:masters.
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: restrict-anonymous
      match:
        any:
          - resources:
              kinds:
                - RoleBinding
                - ClusterRoleBinding
      validate:
        message: Binding to system:anonymous is not allowed.
        pattern:
          subjects:
            - name: "!system:anonymous"
    - name: restrict-unauthenticated
      match:
        any:
          - resources:
              kinds:
                - RoleBinding
                - ClusterRoleBinding
      validate:
        message: Binding to system:unauthenticated is not allowed.
        pattern:
          subjects:
            - name: "!system:unauthenticated"
    - name: restrict-masters
      match:
        any:
          - resources:
              kinds:
                - RoleBinding
                - ClusterRoleBinding
      validate:
        message: Binding to system:masters is not allowed.
        pattern:
          subjects:
            - name: "!system:masters"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application