C-0281 - Minimize access to webhook configuration objects
Framework
cis-v1.10.0
Severity
Medium
Description of the the issue
Users with rights to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects. This could allow for privilege escalation or disruption of the operation of the cluster.
Related resources
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have RBAC permissions to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations objects.
How to check it manually
Review the users who have access to validatingwebhookconfigurations or mutatingwebhookconfigurations objects in the Kubernetes API.
Remediation
Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects
Impact Statement
Users with rights to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects. This could allow for privilege escalation or disruption of the operation of the cluster.
Default Value
By default in a kubeadm cluster the following list of principals have create/modify/delete
privileges on validatingwebhookconfigurations/mutatingwebhookconfigurations
objects CLUSTERROLEBINDING SUBJECT TYPE SA-NAMESPACEcluster-admin system:masters Group system:controller:clusterrole-aggregation-controller clusterrole-aggregation-controller ServiceAccount kube-systemsystem:controller:daemon-set-controller daemon-set-controller ServiceAccount kube-systemsystem:controller:job-controller job-controller ServiceAccount kube-systemsystem:controller:persistent-volume-binder persistent-volume-binder ServiceAccount kube-systemsystem:controller:replicaset-controller replicaset-controller ServiceAccount kube-systemsystem:controller:replication-controller replication-controller ServiceAccount kube-systemsystem:controller:statefulset-controller statefulset-controller ServiceAccount kube-system
Example
No example
Updated about 1 month ago