C-0007 - Roles with delete capabilities

Framework

ClusterScan, MITRE, AllControls

Severity

Medium

Description of the the issue

Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check which subjects have delete/deletecollection RBAC permissions on workloads.

Remediation

You should follow the least privilege principle and minimize the number of subjects that can delete resources.

Example

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pod-exec
rules:
- apiGroups: ["*"]
  resources: ["secrets","pods","services","depolyments","replicasets","deamonsets","stateflsets","jobs,"cronjobs"]  # we look for one of these resources or *
  verbs: ["delete","deletecollection"]	    # we look for one of these verbs or *