KubernetesOverview
Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required. Each of these permissions allow a particular subject to escalate their privileges beyond those explicitly granted by cluster administrators.
Rationale
The impersonate privilege allows a subject to impersonate other users gaining their rights to the cluster. The bind privilege allows the subject to add a binding to a cluster role or role which escalates their effective permissions in the cluster. The escalate privilege allows a subject to modify cluster roles to which they are bound, increasing their rights to that level.
Each of these permissions has the potential to allow for privilege escalation to cluster-admin level.
Impact
There are some cases where these permissions are required for cluster service operation, and care should be taken before removing these permissions from system service accounts.
Default value
In a default kubeadm cluster, the system:masters group and clusterrole-aggregation-controller service account have access to the escalate privilege. The system:masters group also has access to bind and impersonate.
Remediation guidance
Where possible, remove the impersonate, bind and escalate rights from subjects.
References
-
https://workbench.cisecurity.org/sections/1126661/recommendations/1838597
-
https://www.impidio.com/blog/kubernetes-rbac-security-pitfalls
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Kubernetes RoleBindings to Roles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to Roles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to Roles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
