Enabling legacy Attribute-Based Access Control (ABAC) on Google Kubernetes Engine (GKE) clusters weakens the security of access controls.

Why is this an issue?

For Kubernetes, ABAC has been superseded by Role-Based Access Control (RBAC) and is no longer under active development. ABAC grants permissions based on attributes defined in a policy file, which is harder to audit and maintain than RBAC policies. Enabling ABAC on a GKE cluster increases the attack surface and can lead to unintended access if the legacy policy file is misconfigured.

What is the potential impact?

If ABAC is enabled and a cluster is compromised, an attacker may be able to perform actions that would have been denied under a correctly configured RBAC policy. This can lead to unauthorized access to sensitive workloads, data exfiltration, or privilege escalation within the cluster.

How to fix it

Code examples

Noncompliant code example

resource "google_container_cluster" "example" {
  enable_legacy_abac = true # Noncompliant
}

Compliant solution

resource "google_container_cluster" "example" {
  enable_legacy_abac = false
}

Resources

Documentation

• Google Cloud Documentation - Google Kubernetes Engine
• Google Cloud Documentation - Hardening your cluster’s security

Standards

• CWE - CWE-668 - Exposure of Resource to Wrong Sphere