Role or ClusterRoles that grant permissions to escalate Roles or ClusterRoles should be minimized to reduce powerful identities in the cluster. Such Roles and ClusterRoles can add arbitrary permissions to arbitrary identities. Escalating Roles can add permissions over a namespace, while escalating ClusterRoles can add permissions over the entire cluster. Minimize such Roles and ClusterRoles to limit the number of powerful credentials that if compromised could escalate privileges and possibly take over the entire cluster.
- Kind: ClusterRole, Role
- Argument: rules
ClusterRoles and Roles that grant the "escalate" verbs over "clusterroles" or "roles" in the "rbac.authorization.k8s.io" API group should be minimized.
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: <ClusterRole-name> rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "clusterrolebindings"] verbs: ["get", "list", "create", "update"] x- apiGroups: ["rbac.authorization.k8s.io"] x resources: ["clusterroles"] x verbs: ["escalate"]
Updated 16 days ago