C-0191 - Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster
Description of the the issue
The impersonate privilege allows a subject to impersonate other users gaining their rights to the cluster. The bind privilege allows the subject to add a binding to a cluster role or role which escalates their effective permissions in the cluster. The escalate privilege allows a subject to modify cluster roles to which they are bound, increasing their rights to that level.
Each of these permissions has the potential to allow for privilege escalation to cluster-admin level.
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required. Each of these permissions allow a particular subject to escalate their privileges beyond those explicitly granted by cluster administrators
How to check it manually
Review the users who have access to cluster roles or roles which provide the impersonate, bind or escalate privileges.
Where possible, remove the impersonate, bind and escalate rights from subjects.
There are some cases where these permissions are required for cluster service operation, and care should be taken before removing these permissions from system service accounts.
In a default kubeadm cluster, the system:masters group and clusterrole-aggregation-controller service account have access to the escalate privilege. The system:masters group also has access to bind and impersonate.
Updated 8 days ago