RBAC roles allow privilege escalation

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RBAC roles allow privilege escalation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

Id: 8320826e-7a9c-4b0b-9535-578333193432

Cloud Provider: k8s

Framework: Kubernetes

Severity: Medium

Category: Access Control

Learn More

Provider Reference

Description

Roles or ClusterRoles with bind or escalate permissions allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges.

Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: not-rbac-binder
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterrolebindings"]
  verbs: ["create"]

Non-Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: rbac-binder
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["bind"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterrolebindings"]
  verbs: ["create"]