Excessive write permissions over admission webhook
ID |
rbac_control_webhooks |
Severity |
high |
Vendor |
Kubernetes |
Resource |
RBAC |
Tags |
reachable |
Description
Kubernetes RBAC is a key security control to ensure that cluster users and workloads have only the access to resources required to execute their roles.
ClusterRoles that grant write permissions over admission webhook should be minimized since validating admission webhooks can read every object admitted to the cluster, and mutating admission webhooks can read and mutate every object admitted to the cluster.
ClusterRoles that grant control over admission webhooks are granting near cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that could take over the entire cluster when compromised.
Learn more about this topic at Role Based Access Control Good Practices.
Examples
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: bad
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["create", "list"] (1)
# Other permissions| 1 | MutatingWebhookConfigurations.create is excessive privilege. |
Mitigation / Fix
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: good (1)
rules:
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["list"] (1)
# Other permissions| 1 | MutatingWebhookConfigurations create permission was removed |