Ensure Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are minimized

Error: Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are not minimized

Bridgecrew Policy ID: BC_K8S_113
Checkov Check ID: CKV_K8S_157
Severity: MEDIUM

Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings are not minimized

Description

Role or ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings should be minimized to reduce powerful identities in the cluster. Such Roles and ClusterRoles can attach existing permissions (Roles and ClusterRoles) to arbitrary identities. RoleBindings grant permissions over a namespace, while ClusterRoleBindings grant permissions over the entire cluster. Minimize such Roles and ClusterRoles to limit the number of powerful credentials that if compromised could escalate privileges and possibly take over the entire cluster.

Fix - Buildtime

Kubernetes

  • Kind: ClusterRole, Role
  • Argument: rules
    ClusterRoles and Roles that grant the "bind" verbs over "clusterrolebindings" or "rolebindings" in the "rbac.authorization.k8s.io" API group should be minimized.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <ClusterRole-name>
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "clusterroles"]
  verbs: ["get", "list", "create", "update"]
x- apiGroups: ["rbac.authorization.k8s.io"]
x  resources: ["clusterrolebindings"]
x  verbs: ["bind"]