C-0188 - Minimize access to create pods
Framework
cis-eks-t1.2.0, cis-v1.23-t1.0.1, cis-aks-t1.2.0, ClusterScan
Severity
Medium
Description of the the issue
The ability to create pods in a cluster opens up possibilities for privilege escalation and should be restricted, where possible.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have RBAC permissions to create pods.
How to check it manually
Review the users who have create access to pod objects in the Kubernetes API.
Remediation
Where possible, remove create
access to pod
objects in the cluster.
Impact Statement
Care should be taken not to remove access to pods to system components which require this for their operation
Default Value
By default in a kubeadm cluster the following list of principals have create
privileges on pod
objects CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-systemsystem:controller:job-controller job-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:controller:replicaset-controller replicaset-controller ServiceAccount kube-systemsystem:controller:replication-controller replication-controller ServiceAccount kube-systemsystem:controller:statefulset-controller statefulset-controller ServiceAccount kube-system
Example
No example
Updated 3 months ago