C-0063 - Portforwarding privileges
Framework
ClusterScan, ArmoBest, AllControls
Severity
Medium
Description of the the issue
Attackers who have relevant RBAC permissions, can run open a backdoor communication channel directly to the sockets inside target container using exec command “kubectl portforward” command. Using this method, attackers can bypass network security restrictions and communicate directly with software in the containers.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have RBAC permissions to portforward into pods– if they have the “pods/portforward” resource.
Remediation
It is recommended to prohibit “kubectl portforward” command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.
Example
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: my-namespace
name: allow-port-forward
rules:
- apiGroups: ["*"]
resources: ["pods", "pods/portforward"] # we look for this resource or *
verbs: ["update", "patch", "create"] # we look for these verbs or *
Updated 11 days ago