Policy: GCP > CIS v1 > 7 Kubernetes Engine > 7.03 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters (Scored)

Configures auditing against a CIS Benchmark item.

Level: 1 (Scored)

In Kubernetes, authorizers interact by granting a permission if any authorizer grants the permission. The legacy authorizer in Kubernetes Engine grants broad, statically defined permissions. To ensure that RBAC limits permissions correctly, you must disable the legacy authorizer. RBAC has significant security advantages, can help you ensure that users only have access to cluster resources within their own namespace and is now stable in Kubernetes.

Resource Types

This policy targets the following resource types:

Primary Policy

This policy is used with the following primary policy:

GCP > CIS v1 > 7 Kubernetes Engine

Controls

Policy Specification

Schema Type	`string`
Default	`Per GCP > CIS v1`
Valid Values [YAML]	`Per GCP > CIS v1` `Skip` `Check: Level 1 (Scored)`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v0716

Policy Type URI

tmod:@turbot/gcp-cisv1#/policy/types/r0703

GraphQL

query policyType(id: "tmod:@turbot/gcp-cisv1#/policy/types/r0703") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/gcp-cisv1#/policy/types/r0703'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/gcp-cisv1#/policy/types/r0703'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/gcp-cisv1#/policy/types/r0703"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv1#/policy/types/r0703"