Docs
HomeGitHubSign Up

C-0279 - Minimize access to the proxy sub-resource of nodes

Suggest Edits

Framework

cis-v1.10.0

Severity

Medium

Description of the the issue

Users with access to the Proxy sub-resource of Node objects automatically have permissions to use the Kubelet API, which may allow for privilege escalation or bypass cluster security controls such as audit logs. The Kubelet provides an API which includes rights to execute commands in any container running on the node. Access to this API is covered by permissions to the main Kubernetes API via the node object. The proxy sub-resource specifically allows wide ranging access to the Kubelet API. Direct access to the Kubelet API bypasses controls like audit logging (there is no audit log of Kubelet API access) and admission control.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check which subjects have RBAC permissions to access the proxy sub-resource of node objects.

How to check it manually

Review the users who have access to the proxy sub-resource of node objects in the Kubernetes API.

Remediation

Where possible, remove access to the proxy sub-resource of node objects.

Impact Statement

Users with access to the proxy sub-resource of node objects automatically have permissions to use the Kubelet API, which may allow for privilege escalation or bypass cluster security controls such as audit logs.

Default Value

By default in a kubeadm cluster the following list of principals have create privileges on node/proxy objects CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-systemsystem:controller:job-controller job-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:controller:replicaset-controller replicaset-controller ServiceAccount kube-systemsystem:controller:replication-controller replication-controller ServiceAccount kube-systemsystem:controller:statefulset-controller statefulset-controller ServiceAccount kube-system

Example

No example

Updated 3 days ago