--- title: "Restrict ClusterRole Nodesproxy" diataxis: reference applies_to: product: "kyverno" audience: ["platform-engineer","devsecops"] last_updated: 2026-03-25 url: https://docs.nirmata.io/docs/policy-sets/rbac_best_practices/restrict-clusterrole-nodesproxy/ --- ### Description A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. Refer to the [official Aquasec blog](https://blog.aquasec.com/privilege-escalation-kubernetes-rbac) for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource. ### Risks Risks associated with a ClusterRole containing the `nodes/proxy` resource: - `Privilege Escalation`: A user with permissions on the `nodes/proxy` subresource in a cluster has full permissions against the kubelet API on any node by proxying requests through the API server, and can execute commands in any pod. This may represent privileges beyond those expected by the cluster administrator. Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/119640) for more information. ### Kyverno Policy Refer to the Nirmata curated policies - [restrict-clusterrole-nodesproxy](https://github.com/nirmata/kyverno-policies/blob/main/rbac-best-practices/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml). #### Resource Example Below are examples of two `ClusterRole` resources that do not have `nodes/proxy` resource. ```bash apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: goodcr01 rules: - apiGroups: [""] resources: ["pods", "namespaces"] verbs: ["get", "watch", "list"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "watch", "list"] ``` ```bash apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: goodcr02 rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "watch", "list"] ```text