Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters

Using Google Cloud Console

1. Open Kubernetes Engine in Google Cloud Console.
2. Select the affected cluster.
3. Open the security or access configuration for the cluster.
4. If the cluster still exposes a Legacy authorization option, set it to Disabled and save the change.

Using Command Line

For older GKE clusters where the setting is still supported, disable legacy authorization:

gcloud container clusters update [CLUSTER_NAME]   --location [LOCATION]   --no-enable-legacy-authorization

Validate the result:

gcloud container clusters describe [CLUSTER_NAME]   --location [LOCATION]

Confirm that legacy authorization is disabled and that your RBAC roles and bindings still allow the expected administrative and workload actions.

Impact

If administrators or workloads still depend on legacy authorization or ABAC-era permissions, they can lose access after this change. Review RoleBinding and ClusterRoleBinding objects before rollout.

Notes

This control is mainly relevant for older clusters. In modern GKE versions, legacy authorization should already be disabled or no longer be part of normal cluster configuration.

References

1. https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control

Service-wide remediation

Recommended when many resources are affected: standardize on RBAC-only cluster templates and treat any cluster that still relies on legacy authorization as an exception that must be migrated or retired.

Use GKE cluster templates, Terraform modules, and platform guardrails that always create clusters with RBAC and without older authorization modes.

Operational rollout

1. Identify legacy clusters first and confirm whether any workloads or operators still rely on older authorization behavior.
2. Fix RBAC roles and bindings before disabling legacy authorization.
3. Re-scan after the change and document any approved exceptions with an owner and an expiry date.