RBAC roles with exec permission

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: c589f42c-7924-4871-aee2-1cede9bc7cbc

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Access Control

Learn More

Description

Roles or ClusterRoles that grant permissions to run commands in containers via kubectl exec can be abused by attackers to execute malicious code if a subject is compromised. To reduce this risk, the pods/exec verb should not be used in production environments. Such permissions increase the attack surface and violate the principle of least privilege. When exec access is required, it should be tightly scoped to specific subjects and namespaces and regularly audited.

Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: allow-exec-neg
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-exec-neg
  namespace: my-namespace
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-exec-neg
  apiGroup: ""

Non-Compliant Code Examples

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: allow-exec
rules:
- apiGroups: [""]
  resources: ["pods", "pods/exec"]
  verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-exec
  namespace: my-namespace
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-exec
  apiGroup: ""