Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Restrict "cluster-admin" Role Usage

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the use of the "cluster-admin" role is restricted across your OCI Kubernetes Engine (OKE) clusters as this RBAC role grants wide-ranging, unrestricted powers over the entire environment and must only be used where and when absolutely necessary to enforce the Principle of Least Privilege (POLP).

Security

In Kubernetes, the "cluster-admin" role grant super-user access with wide-ranging privileges. This role allows a principal to perform any action on any resource across all namespaces. For security and compliance purposes, the "cluster-admin" role application must be strictly limited to required situations.

Audit

To determine if the use of the "cluster-admin" role is restricted across your OCI Kubernetes Engine (OKE) cluster, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get clusterrolebindings command to describe the list of all cluster role bindings within your OCI Kubernetes Engine (OKE) cluster. This helps you identify the principals that have been granted the highly privileged "cluster-admin" role across the entire OKE cluster:

    kubectl get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name

  8. The command output should return a list where the ROLE column describes the "cluster-admin" role for any resource listed, identifying the specific SUBJECT (principal) that possesses full, unrestricted administrative permissions across the OKE cluster:

    NAME                                                   ROLE                                                      SUBJECT
admin-user-binding                                     cluster-admin                                             project5-dev-group
security-group-binding                                 cluster-admin                                             security-admins-group
external-audit-binding                                 cluster-admin                                             external-auditor-sa
calico-kube-controllers                                calico-kube-controllers                                   calico-kube-controllers
cluster-admin                                          cluster-admin                                             system:masters

...                                                    ...                                                       ...

canal-calico                                           calico-node                                               canal
canal-flannel                                          flannel                                                   canal
cluster-admin                                          cluster-admin                                             system:masters
system:node-proxier                                    system:node-proxier                                       system:kube-proxy
system:service-account-issuer-discovery                system:service-account-issuer-discovery                   system:serviceaccounts
system:volume-scheduler                                system:volume-scheduler                                   ystem:kube-scheduler

    Review each principal listed in the command output and ensure that "cluster-admin" role is required for it. When auditing for privileged access, focus on role bindings that don't have the system: prefix, as those are usually created by OKE cluster operators or users and are safe to modify or delete. These bindings must be strictly audited to ensure the principal requires unrestricted cluster access.

Remediation / Resolution

To ensure that the use of the "cluster-admin" role is restricted across the OCI Kubernetes Engine (OKE) cluster, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. To enforce the Principle of Least Privilege, remove the "cluster-admin" cluster role binding for all principals that don't require privileged access. Ensure that the role binding that you want to remove don't have the system: prefix as this is required for the operation of system components. Replace \<cluster-role-binding-name\> with your own role binding:

    kubectl delete clusterrolebinding <cluster-role-binding-name>

  8. The command output should return the role binding removal confirmation, as shown in the example below:

    clusterrolebinding.rbac.authorization.k8s.io "<cluster-role-binding-name>" deleted

References

Publication date Dec 11, 2025

Related OCI-OKE rules