Excessive RoleBindings / ClusterRoleBindings permissions
ID |
rbac_bind_role_bindings |
Severity |
low |
Vendor |
Kubernetes |
Resource |
RBAC |
Tags |
reachable |
Description
Kubernetes RBAC is a key security control to ensure that cluster users and workloads have only the access to resources required to execute their roles.
The RoleBindings bind permission allows attaching existing permissions to arbitrary identities over a namespace. This is excessive in general.
ClusterRoleBindings is similar but grants permissions over the entire cluster, which is even worse.
The bind of RoleBindings and ClusterRoleBindings to any Role or ClusterRole increase risks in case of any powerful user is compromised.
Learn more about this topic at Kubernetes RBAC - privilege escalation risks.
Examples
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bad
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrole"]
verbs: ["get"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings"]
verbs: ["bind"] (1)| 1 | The bind of RoleBindings and ClusterRoleBindings to Role or ClusterRole should be minimized. |
Mitigation / Fix
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: good (1)
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrole"]
verbs: ["get"]| 1 | Avoiding bind RoleBindings and ClusterRoleBindings reduce risk of get permission over the entire cluster. |