Ensure ClusterRoles that grant control over validating or mutating admission webhook configurations are minimized

Error: ClusterRoles that grant control over validating or mutating admission webhook configurations are not minimized

Bridgecrew Policy ID: BC_K8S_111
Checkov Check ID: CKV_K8S_155
Severity: HIGH

ClusterRoles that grant control over validating or mutating admission webhook configurations are not minimized

Description

ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. Validating admission webhooks can read every object admitted to the cluster, while mutating admission webhooks can read and mutate every object admitted to the cluster. As such, ClusterRoles that grant control over admission webhooks are granting near cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster.

Fix - Buildtime

Kubernetes

  • Kind: ClusterRole
  • Argument: rules
    ClusterRoles that grant the "create", "update" or "patch" verbs over the "mutatingwebhookconfigurations" or "validatingwebhookconfigurations" resources in the "admissionregistration.k8s.io" API group are granting control over admission webhooks.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <ClusterRole-name>
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["mutatingwebhookconfigurations"]
  verbs:
  - list