Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are not minimized
Role or ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings should be minimized to reduce powerful identities in the cluster. Such Roles and ClusterRoles can attach existing permissions (Roles and ClusterRoles) to arbitrary identities. RoleBindings grant permissions over a namespace, while ClusterRoleBindings grant permissions over the entire cluster. Minimize such Roles and ClusterRoles to limit the number of powerful credentials that if compromised could escalate privileges and possibly take over the entire cluster.
- Kind: ClusterRole, Role
- Argument: rules
ClusterRoles and Roles that grant the "bind" verbs over "clusterrolebindings" or "rolebindings" in the "rbac.authorization.k8s.io" API group should be minimized.
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: <ClusterRole-name> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "clusterroles"] verbs: ["get", "list", "create", "update"] x- apiGroups: ["rbac.authorization.k8s.io"] x resources: ["clusterrolebindings"] x verbs: ["bind"]
Updated 2 months ago