Legacy ABAC permissions are enabled.

Explanation

You should disable Attribute-Based Access Control (ABAC), and instead use Role-Based Access Control (RBAC) in GKE.

RBAC has significant security advantages and is now stable in Kubernetes, so it’s time to disable ABAC.

Insecure Example

The following example will fail the GCP005 check.

resource "google_container_cluster" "gke" {
	enable_legacy_abac = "true"
}

Secure Example

The following example will pass the GCP005 check.

resource "google_container_cluster" "gke" {
	# ...
	# enable_legacy_abac not set
	# ...
}

Related Links

• https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110

• https://www.terraform.io/docs/providers/google/r/container_cluster.html#enable_legacy_abac