RBAC roles with attach permission
This product is not supported for your selected
Datadog site. (
).
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Id: d45330fd-f58d-45fb-a682-6481477a0f84
Cloud Provider: Kubernetes
Platform: Kubernetes
Severity: Medium
Category: Access Control
Learn More
Description
Roles or ClusterRoles that permit attaching to containers via kubectl attach can be abused by attackers to read process output (stdout, stderr) and send input (stdin) to running processes.
They can also allow a malicious user to attach to a privileged container, resulting in privilege escalation.
For this reason, the pods/attach resource should not be included in production Role or ClusterRole rules. This rule flags Role or ClusterRole documents whose rules include the pods/attach resource (and related verb entries such as create or *). Findings support least-privilege enforcement by identifying and removing attach permissions from cluster roles.
Compliant Code Examples
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: allow-attach-neg
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-attach-neg
namespace: my-namespace
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-attach-neg
apiGroup: ""
Non-Compliant Code Examples
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: allow-attach
rules:
- apiGroups: [""]
resources: ["pods", "pods/attach"]
verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-attach
namespace: my-namespace
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-attach
apiGroup: ""
