Description:
Legacy Authorization, also known as Attribute-Based Access Control (ABAC) has been superseded by Role-Based Access Control (RBAC) and is not under active development. RBAC is the recommended way to manage permissions in Kubernetes.
Rationale:
In Kubernetes, RBAC is used to grant permissions to resources at the cluster and namespace level. RBAC allows you to define roles with rules containing a set of permissions, whilst the legacy authorizer (ABAC) in Kubernetes Engine grants broad, statically defined permissions. As RBAC provides significant security advantages over ABAC, it is recommended option for access control. Where possible, legacy authorization must be disabled for GKE clusters.
Once the cluster has the legacy authorizer disabled, you must grant your user the ability to create authorization roles using RBAC to ensure that your role-based access control permissions take effect.
Using Google Cloud Console
Using Command Line
To disable Legacy Authorization for an existing cluster, run the following command:
gcloud container clusters update [CLUSTER_NAME]
--zone [COMPUTE_ZONE]
--no-enable-legacy-authorization