Docs
HomeGitHubSign Up

C-0280 - Minimize access to the approval sub-resource of certificatesigningrequests objects

Suggest Edits

Framework

cis-v1.10.0

Severity

Medium

Description of the the issue

Users with access to the update the approval sub-resource of certificateaigningrequests objects can approve new client certificates for the Kubernetes API effectively allowing them to create new high-privileged user accounts. This can allow for privilege escalation to full cluster administrator, depending on users configured in the cluster

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check which subjects have RBAC permissions to update the approval sub-resource of certificatesigningrequests objects.

How to check it manually

Review the users who have access to update the approval sub-resource of certificatesigningrequests objects in the Kubernetes API.

Remediation

Where possible, remove access to the approval sub-resource of certificatesigningrequests objects.

Impact Statement

Users with access to the approval sub-resource of certificatesigningrequests objects can approve new client certificates for the Kubernetes API effectively allowing them to create new high-privileged user accounts.

Default Value

By default in a kubeadm cluster the following list of principals have update privileges on certificatesigningrequests/approval objects CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-systemsystem:controller:job-controller job-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:controller:replicaset-controller replicaset-controller ServiceAccount kube-systemsystem:controller:replication-controller replication-controller ServiceAccount kube-systemsystem:controller:statefulset-controller statefulset-controller ServiceAccount kube-system

Example

No example

Updated 26 days ago