C-0191 - Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster

Framework

cis-v1.23-t1.0.1, cis-eks-t1.2.0

Severity

Medium

Description of the the issue

The impersonate privilege allows a subject to impersonate other users gaining their rights to the cluster. The bind privilege allows the subject to add a binding to a cluster role or role which escalates their effective permissions in the cluster. The escalate privilege allows a subject to modify cluster roles to which they are bound, increasing their rights to that level.

Each of these permissions has the potential to allow for privilege escalation to cluster-admin level.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Cluster roles and roles with the impersonate, bind or escalate permissions should not be granted unless strictly required. Each of these permissions allow a particular subject to escalate their privileges beyond those explicitly granted by cluster administrators

How to check it manually

Review the users who have access to cluster roles or roles which provide the impersonate, bind or escalate privileges.

Remediation

Where possible, remove the impersonate, bind and escalate rights from subjects.

Impact Statement

There are some cases where these permissions are required for cluster service operation, and care should be taken before removing these permissions from system service accounts.

Default Value

In a default kubeadm cluster, the system:masters group and clusterrole-aggregation-controller service account have access to the escalate privilege. The system:masters group also has access to bind and impersonate.

Example

No example