KubernetesOverview
Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required. Each of these permissions allow a particular subject to escalate their privileges beyond those explicitly granted by cluster administrators.
Rationale
The impersonate privilege allows a subject to impersonate other users gaining their rights to the cluster. The bind privilege allows the subject to add a binding to a cluster role or role which escalates their effective permissions in the cluster. The escalate privilege allows a subject to modify cluster roles to which they are bound, increasing their rights to that level.
Each of these permissions has the potential to allow for privilege escalation to cluster-admin level.
Impact
There are some cases where these permissions are required for cluster service operation, and care should be taken before removing these permissions from system service accounts.
Default value
In a default kubeadm cluster, the system:masters group and clusterrole-aggregation-controller service account have access to the escalate privilege. The system:masters group also has access to bind and impersonate.
Remediation guidance
Where possible, remove the impersonate, bind and escalate rights from subjects.
References
-
https://workbench.cisecurity.org/sections/1126661/recommendations/1838597
-
https://www.impidio.com/blog/kubernetes-rbac-security-pitfalls
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Kubernetes
Use admission policies, baseline cluster configuration, GitOps templates, and namespace or workload guardrails so new deployments follow the control by default.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Kubernetes RoleBindings to Roles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide escalate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "escalate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to Roles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide bind privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "bind" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "clusterroles" }
{ resources_INCLUDES: "roles" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "rbac.authorization.k8s.io" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to Roles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
roles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{bindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
bindings {
...AssetFragment
}
}
}
Kubernetes RoleBindings to ClusterRoles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{roleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
roleBindings {
...AssetFragment
}
}
}
Kubernetes ClusterRoleBindings to ClusterRoles which provide impersonate privileges
Connectors
Covered asset types
Expected check: eq []
{
clusterRoles(
where: {
AND: [
{
rules_SOME: {
AND: [
{
OR: [
{ verbs_INCLUDES: "impersonate" }
{ verbs_INCLUDES: "*" }
]
}
{
OR: [
{ resources_INCLUDES: "users" }
{ resources_INCLUDES: "serviceaccounts" }
{ resources_INCLUDES: "groups" }
{ resources_INCLUDES: "uids" }
{ resources_INCLUDES: "*" }
]
}
{ OR: [{ apiGroup_INCLUDES: "" }, { apiGroup_INCLUDES: "*" }] }
]
}
},
{clusterRoleBindings_SOME: {idFromProvider_NOT: ""}}
]
}
) {
clusterRoleBindings {
...AssetFragment
}
}
}
