C-0188 - Minimize access to create pods

Framework

cis-v1.23-t1.0.1, cis-eks-t1.2.0, cis-aks-t1.2.0

Severity

Medium

Description of the the issue

The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check which subjects have RBAC permissions to create pods.

How to check it manually

Review the users who have create access to pod objects in the Kubernetes API.

Remediation

Where possible, remove create access to pod objects in the cluster.

Impact Statement

Care should be taken not to remove access to pods to system components which require this for their operation

Default Value

By default in a kubeadm cluster the following list of principals have create privileges on pod objects

CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACE
cluster-admin                                         system:masters                      Group           
system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-system
system:controller:daemon-set-controller               daemon-set-controller               ServiceAccount  kube-system
system:controller:job-controller                      job-controller                      ServiceAccount  kube-system
system:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-system
system:controller:replicaset-controller               replicaset-controller               ServiceAccount  kube-system
system:controller:replication-controller              replication-controller              ServiceAccount  kube-system
system:controller:statefulset-controller              statefulset-controller              ServiceAccount  kube-system

Example

No example