C-0065 - No impersonation

Framework

AllControls, ArmoBest

Severity

Medium

Description of the the issue

Impersonation is an explicit RBAC permission to use other roles rather than the one assigned to a user, group or service account. This is sometimes needed for testing purposes. However, it is highly recommended not to use this capability in the production environments for daily operations. This control identifies all subjects whose roles include impersonate verb.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check for RBACs giving 'impersonate' verb to users/groups/uids/serviceaccounts

Remediation

Either remove the impersonate verb from the role where it was found or make sure that this role is not bound to users, groups or service accounts used for ongoing cluster operations. If necessary, bind this role to a subject only for specific needs for limited time period.

Example