Legacy ABAC on a GKE cluster grants broad, hard to audit permissions that bypass Kubernetes RBAC. Disable it with gcloud container clusters update CLUSTER --no-enable-legacy-authorization and manage access through RBAC roles instead.
If you are running a GKE cluster created several years ago, or one provisioned from an old Terraform module, there is a decent chance it still has legacy ABAC authorization switched on. The gke_legacyabac check flags exactly this situation. It is a quiet misconfiguration that does not break anything today, which is precisely why it tends to survive untouched for years while quietly widening your blast radius.
This post walks through what the check detects, why ABAC is a liability in a modern cluster, how to turn it off safely, and how to make sure no new cluster shows up with it enabled again.
What this check detects
The gke_legacyabac check inspects each GKE cluster and reports a failure when legacy Attribute-Based Access Control (ABAC) is enabled instead of, or alongside, Kubernetes Role-Based Access Control (RBAC).
In the cluster configuration this surfaces as the legacyAbac field. When the check fails, the API returns something like this:
{
"name": "prod-cluster",
"legacyAbac": {
"enabled": true
}
}Note: ABAC was the original authorization mode in Kubernetes. It grants permissions based on attributes attached to a request (user, group, resource, namespace) using a flat policy file. RBAC, introduced later, models permissions as Roles and RoleBindings that are first-class Kubernetes API objects. RBAC is the default and recommended mechanism on every supported Kubernetes version.
On GKE, when legacy ABAC is enabled the cluster falls back to permissive built-in bindings that grant broad access to service accounts and other identities. That permissiveness is the whole problem.
Why it matters
Legacy ABAC does not just add an alternative way to authorize requests. It changes the default posture of the cluster from deny-by-default to something far more generous.
It grants overly broad permissions
With legacy ABAC enabled, GKE applies wide-reaching authorization rules that hand significant privileges to the cluster's identities. A pod or component that should only be able to read a single ConfigMap can end up with access that RBAC would never have granted. This violates least privilege at the cluster's foundation.
It is hard to audit
RBAC permissions live in the API as Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings. You can list them, diff them, and review them in code. ABAC's flat policy model gives you none of that clarity. When an auditor or an incident responder asks "who can read secrets in the payments namespace," ABAC makes that a much harder question to answer.
It widens the blast radius of a compromise
Consider a common attack chain: an attacker exploits a vulnerable application running in a pod and gains code execution. From inside that pod they reach the Kubernetes API. On an RBAC cluster, the service account token mounted in the pod is usually scoped to almost nothing, so the attacker hits walls quickly. On a legacy ABAC cluster, those same default tokens often carry far more authority, turning a single application compromise into cluster-wide access to secrets, workloads, and other namespaces.
Danger: Legacy ABAC can effectively neutralize the RBAC policies you carefully wrote. If both are enabled, a request only needs to be authorized by one of them, so a permissive ABAC rule can override a tight RBAC deny. You may believe a workload is locked down when it is not.
It is a compliance flag
CIS Benchmarks for GKE and most internal cloud security baselines explicitly require legacy ABAC to be disabled. Leaving it on is a recurring audit finding that costs your team time on every review cycle.
How to fix it
The fix is to disable legacy authorization so the cluster relies solely on RBAC. Before you flip the switch, confirm your workloads and operators actually have the RBAC bindings they need, otherwise you can break access for service accounts that were quietly relying on ABAC.
Step 1: Check the current state
gcloud container clusters describe CLUSTER_NAME \
--zone ZONE \
--format="value(legacyAbac.enabled)"If this returns True, the check is failing and you need to remediate.
Step 2: Review existing RBAC bindings
Make sure the identities your applications and controllers rely on already have RBAC coverage. List the current bindings:
kubectl get clusterrolebindings
kubectl get rolebindings --all-namespacesPay attention to any custom service accounts used by your own workloads, CI deploy accounts, and third-party operators (ingress controllers, cert managers, monitoring agents). If any of them lack a binding, create the appropriate Role and RoleBinding first. For example, a read-only binding for a monitoring service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-reader
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "services"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-reader-binding
subjects:
- kind: ServiceAccount
name: monitoring
namespace: observability
roleRef:
kind: ClusterRole
name: metrics-reader
apiGroup: rbac.authorization.k8s.ioStep 3: Disable legacy ABAC
Warning: Disabling legacy authorization triggers a cluster control plane update. The control plane may be briefly unavailable for API operations during the change. Running workloads keep serving traffic, but deployments and other API calls may pause for a few minutes. Schedule this outside a deploy freeze window.
For a zonal cluster:
gcloud container clusters update CLUSTER_NAME \
--zone ZONE \
--no-enable-legacy-authorizationFor a regional cluster:
gcloud container clusters update CLUSTER_NAME \
--region REGION \
--no-enable-legacy-authorizationStep 4: Verify
gcloud container clusters describe CLUSTER_NAME \
--zone ZONE \
--format="value(legacyAbac.enabled)"A return value of False (or an empty result) confirms ABAC is off and the check now passes.
Tip: After disabling ABAC, watch your cluster's audit logs for Forbidden errors over the next hour. They tell you exactly which service account is missing a binding so you can fix it precisely rather than guessing. Filter with protoPayload.status.code=7 in Cloud Logging.
Fixing it in infrastructure as code
Most clusters that drift into this state were created with IaC that did not set the field explicitly. Make the desired state explicit so it stays correct.
Terraform
On the google_container_cluster resource, set enable_legacy_abac to false (this is also the default, so the real win is being explicit and catching modules that override it):
resource "google_container_cluster" "primary" {
name = "prod-cluster"
location = "us-central1"
enable_legacy_abac = false
# RBAC is the default authorization mode once ABAC is off
}Apply the change and confirm the plan shows the cluster moving to enable_legacy_abac = false.
gcloud in a provisioning script
If you create clusters from scripts, never pass --enable-legacy-authorization. New clusters default to RBAC only, which is what you want.
How to prevent it from happening again
Disabling ABAC on one cluster is a fix. Stopping it from reappearing across your fleet is the actual goal.
Block it with policy as code
Use OPA Gatekeeper, Conftest, or a Terraform policy engine such as Sentinel to reject any cluster definition that enables legacy ABAC. A Conftest rule for Terraform plans looks like this:
package main
deny[msg] {
resource := input.resource_changes[_]
resource.type == "google_container_cluster"
resource.change.after.enable_legacy_abac == true
msg := sprintf("Cluster '%s' has legacy ABAC enabled; use RBAC instead", [resource.address])
}Gate it in CI/CD
Run that policy check on every pull request that touches cluster infrastructure. Wire it as a required status check so a non-compliant cluster cannot merge:
terraform plan -out=plan.tfplan
terraform show -json plan.tfplan > plan.json
conftest test plan.jsonContinuously scan running clusters
IaC gates only protect resources created through IaC. Clusters made by hand, by older pipelines, or in forgotten projects still need detection. This is where Lensix runs the gke_legacyabac check continuously across your GCP organization and alerts you the moment a cluster with ABAC enabled appears, regardless of how it was created.
Tip: Pair the IaC gate with continuous scanning. The gate stops bad configs from being merged, and the scanner catches the drift and the shadow clusters the gate never sees. Neither one is sufficient on its own.
Best practices
- Treat RBAC as the only authorization model. There is no modern reason to keep legacy ABAC on. Standardize on RBAC across every cluster.
- Apply least privilege to service accounts. Give each workload a dedicated service account with the narrowest Role it needs, and avoid binding anything to
cluster-adminunless absolutely required. - Disable automounting of default tokens where workloads do not call the Kubernetes API. Set
automountServiceAccountToken: falseto shrink the blast radius further. - Review RBAC bindings in code review. Keep Roles and RoleBindings in version control so privilege grants get the same scrutiny as application changes.
- Combine RBAC with Workload Identity so pods authenticate to Google Cloud APIs without long-lived service account keys, closing another common escalation path.
- Audit periodically. Run
kubectl auth can-i --listas different service accounts to confirm permissions match intent.
Legacy ABAC is the kind of finding that looks harmless on a dashboard and turns into a real incident when an attacker lands inside a pod. Turning it off costs you a short control plane update and a bit of RBAC cleanup. Leaving it on costs you the security guarantees you thought RBAC was giving you. Disable it, gate it in CI, and scan for it continuously.