ClusterRoles that grant control over validating or mutating admission webhook configurations are not minimized
ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. Validating admission webhooks can read every object admitted to the cluster, while mutating admission webhooks can read and mutate every object admitted to the cluster. As such, ClusterRoles that grant control over admission webhooks are granting near cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster.
- Kind: ClusterRole
- Argument: rules
ClusterRoles that grant the "create", "update" or "patch" verbs over the "mutatingwebhookconfigurations" or "validatingwebhookconfigurations" resources in the "admissionregistration.k8s.io" API group are granting control over admission webhooks.
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: <ClusterRole-name> rules: - apiGroups: [""] resources: ["pods"] verbs: ["get"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: - list
Updated 2 months ago