Checkov and Bridgecrew now support Kubernetes graph policies! Kubernetes graph policies make connections between two or more resources. This allows you to identify issues that are not misconfigurations unless they are combined.
For example, CKV2_K8S_2 - “Granting
create permissions to
pods/exec sub resources allows potential privilege escalation.” Using the
create verb is useful for POST commands to the Kubelet API. However, binding this verb with a nodes proxy resource and binding that to a service account can be abused to make unaudited API calls and communicate directly to the kubelet API to escalate privileges. Just checking the Role, Service Account, or the RoleBinding will not let you know if this insecure combination is made.
With Kubernetes graph edges support, the Bridgecrew team and our open source contributors can now dive deeper into K8s advanced policies!