RBAC roles with exec permission

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RBAC roles with exec permission

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: c589f42c-7924-4871-aee2-1cede9bc7cbc

Cloud Provider: k8s

Framework: Kubernetes

Severity: Medium

Category: Access Control

Learn More

Provider Reference

Description

Roles or ClusterRoles with permissions to run commands in containers via kubectl exec could be abused by attackers to execute malicious code in case of compromise. To prevent this, the pods/exec verb should not be used in production environments.

Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: allow-exec-neg
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-exec-neg
  namespace: my-namespace
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-exec-neg
  apiGroup: ""

Non-Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: allow-exec
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec"]
  verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-exec
  namespace: my-namespace
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-exec
  apiGroup: ""