C-0007 - Roles with delete capabilities
Framework
ClusterScan, MITRE, AllControls
Severity
Medium
Description of the the issue
Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have delete/deletecollection RBAC permissions on workloads.
Remediation
You should follow the least privilege principle and minimize the number of subjects that can delete resources.
Example
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: ["*"]
resources: ["secrets","pods","services","depolyments","replicasets","deamonsets","stateflsets","jobs,"cronjobs"] # we look for one of these resources or *
verbs: ["delete","deletecollection"] # we look for one of these verbs or *
Updated 9 days ago