C-0065 - No impersonation
Description of the the issue
Impersonation is an explicit RBAC permission to use other roles rather than the one assigned to a user, group or service account. This is sometimes needed for testing purposes. However, it is highly recommended not to use this capability in the production environments for daily operations. This control identifies all subjects whose roles include impersonate verb.
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check for RBACs giving 'impersonate' verb to users/groups/uids/serviceaccounts
Either remove the impersonate verb from the role where it was found or make sure that this role is not bound to users, groups or service accounts used for ongoing cluster operations. If necessary, bind this role to a subject only for specific needs for limited time period.
Updated 2 days ago