--- title: Permissive access to create pods description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Permissive access to create pods --- # Permissive access to create pods {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-kubernetes-permissive-access-to-create-pods` **Provider:** Kubernetes **Platform:** Terraform **Severity:** Medium **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule) ### Description{% #description %} The permission to create `pods` in a cluster should be restricted because it allows privilege escalation. This rule inspects `kubernetes_role` and `kubernetes_cluster_role` resources and reports when a rule's `verbs` contains `create` while its `resources` contains `pods` or a wildcard value. It also flags cases where `verbs` or `resources` contain a wildcard (for example, `*`) in combination with `pods`, since those broaden access and can enable pod creation. Restricting these permissions reduces the risk of workloads obtaining elevated privileges. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "kubernetes_role" "example" { metadata { name = "terraform-example" labels = { test = "MyRole" } } rule { api_groups = [""] resources = ["pods"] resource_names = ["foo"] verbs = ["get", "list", "watch"] } rule { api_groups = ["apps"] resources = ["deployments"] verbs = ["get", "list"] } } ``` ```terraform resource "kubernetes_cluster_role" "example" { metadata { name = "terraform-example" } rule { api_groups = [""] resources = ["namespaces", "pods"] verbs = ["get", "list", "watch"] } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "kubernetes_role" "example1" { metadata { name = "terraform-example1" labels = { test = "MyRole" } } rule { api_groups = [""] resources = ["pods"] resource_names = ["foo"] verbs = ["create", "list", "watch"] } rule { api_groups = ["apps"] resources = ["deployments"] verbs = ["get", "list"] } } resource "kubernetes_role" "example2" { metadata { name = "terraform-example2" labels = { test = "MyRole" } } rule { api_groups = [""] resources = ["*"] resource_names = ["foo"] verbs = ["create", "list", "watch"] } } resource "kubernetes_role" "example3" { metadata { name = "terraform-example3" labels = { test = "MyRole" } } rule { api_groups = [""] resources = ["pods"] resource_names = ["foo"] verbs = ["*", "list", "watch"] } } resource "kubernetes_role" "example4" { metadata { name = "terraform-example4" labels = { test = "MyRole" } } rule { api_groups = [""] resources = ["*"] resource_names = ["foo"] verbs = ["*", "list", "watch"] } } ``` ```terraform resource "kubernetes_cluster_role" "example1" { metadata { name = "terraform-example1" } rule { api_groups = [""] resources = ["namespaces", "pods"] verbs = ["create", "list", "watch"] } } resource "kubernetes_cluster_role" "example2" { metadata { name = "terraform-example2" } rule { api_groups = [""] resources = ["namespaces", "*"] verbs = ["create", "list", "watch"] } } resource "kubernetes_cluster_role" "example3" { metadata { name = "terraform-example3" } rule { api_groups = [""] resources = ["namespaces", "*"] verbs = ["*", "list", "watch"] } } resource "kubernetes_cluster_role" "example4" { metadata { name = "terraform-example4" } rule { api_groups = [""] resources = ["namespaces", "pods"] verbs = ["*", "list", "watch"] } } ```