Ensure Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are minimized

Error: Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are not minimized

Bridgecrew Policy ID: BC_K8S_114
Checkov Check ID: CKV_K8S_158
Severity: MEDIUM

Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRole are not minimized

Description

Role or ClusterRoles that grant permissions to escalate Roles or ClusterRoles should be minimized to reduce powerful identities in the cluster. Such Roles and ClusterRoles can add arbitrary permissions to arbitrary identities. Escalating Roles can add permissions over a namespace, while escalating ClusterRoles can add permissions over the entire cluster. Minimize such Roles and ClusterRoles to limit the number of powerful credentials that if compromised could escalate privileges and possibly take over the entire cluster.

Fix - Buildtime

Kubernetes

  • Kind: ClusterRole, Role
  • Argument: rules
    ClusterRoles and Roles that grant the "escalate" verbs over "clusterroles" or "roles" in the "rbac.authorization.k8s.io" API group should be minimized.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <ClusterRole-name>
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "clusterrolebindings"]
  verbs: ["get", "list", "create", "update"]
x- apiGroups: ["rbac.authorization.k8s.io"]
x  resources: ["clusterroles"]
x  verbs: ["escalate"]