Back to all scenarios
Scenario #285
Security
Kubernetes v1.21, AKS

Cluster Admin Bound to All Authenticated Users

A ClusterRoleBinding accidentally granted cluster-admin to all authenticated users due to system:authenticated group.

Find this helpful?
What Happened

A misconfigured YAML granted admin access broadly, bypassing intended RBAC restrictions.

Diagnosis Steps
  • 1Audited ClusterRoleBindings.
  • 2Found binding: subjects: kind: Group, name: system:authenticated.
  • 3Verified users could create/delete resources cluster-wide.
Root Cause

RBAC misconfiguration during onboarding automation.

Fix/Workaround
• Deleted the binding immediately.
• Implemented an RBAC policy validation webhook.
Lessons Learned

Misuse of built-in groups can be catastrophic.

How to Avoid
  • 1Avoid using broad group bindings.
  • 2Implement pre-commit checks for RBAC files.
Previous ScenarioNext Scenario