C-0002 - Prevent containers from allowing command execution
Framework
ClusterScan, MITRE, ArmoBest, NSA, AllControls
Severity
Medium
Description of the the issue
Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have RBAC permissions to exec into pods– if they have the “pods/exec” verb.
Remediation
It is recommended to prohibit “kubectl exec” command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.
Example
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: ["*"]
resources: ["pods/exec"] # we look for this resource or *
verbs: ["create"] # we look for this verb or *
Updated 9 days ago