C-0272 - Workload with administrative roles
Framework
security
Severity
Medium
Description of the the issue
In Kubernetes environments, workloads granted administrative-level privileges without restrictions represent a critical security vulnerability. When a service account associated with a workload is configured with permissions to perform any action on any resource, it essentially holds unrestricted access within the cluster, akin to cluster admin privileges. This configuration dramatically increases the risk of security breaches, including data theft, unauthorized modifications, and potentially full cluster takeovers. Such privileges allow attackers to exploit the workload for wide-ranging malicious activities, bypassing the principle of least privilege. Therefore, it's essential to follow the least privilege principle and make sure cluster admin permissions are granted only when it is absolutely necessary.
Related resources
ClusterRole, ClusterRoleBinding, CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, Role, RoleBinding, ServiceAccount, StatefulSet
What does this control test
Check if the service account used by a workload has cluster admin roles, either by being bound to the cluster-admin clusterrole, or by having equivalent high privileges.
Remediation
You should apply least privilege principle. Make sure cluster admin permissions are granted only when it is absolutely necessary. Don't use service accounts with such high permissions for daily operations.
Example
No example
Updated 4 months ago