Ensure ClusterRoles that grant permissions to approve CertificateSigningRequests are minimized

Error: ClusterRoles that grant permissions to approve CertificateSigningRequests are not minimized

Bridgecrew Policy ID: BC_K8S_112
Checkov Check ID: CKV_K8S_156
Severity: HIGH

ClusterRoles that grant permissions to approve CertificateSigningRequests are not minimized

Description

ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster.

Fix - Buildtime

Kubernetes

  • Kind: ClusterRole
  • Argument: rules
    ClusterRoles that grant the "update" verbs over the "certificatesigningrequests/approval" and the "approve" verb over "signers" in the "certificates.k8s.io" API group are granting permissions to approve CertificateSigningRequests
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <ClusterRole-name>
rules:
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests"]
  verbs: ["get", "list", "create]
x- apiGroups: ["certificates.k8s.io"]
x  resources: ["certificatesigningrequests/approval"]
x  verbs: ["update"]
x- apiGroups: ["certificates.k8s.io"]
x  resources: ["signers"]
x  verbs: ["approve"]