Restrict ClusterRole Nodesproxy
Description
A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. Refer to the official Aquasec blog for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource.
Risks
Risks associated with a ClusterRole containing the nodes/proxy resource:
Privilege Escalation: A user with permissions on thenodes/proxysubresource in a cluster has full permissions against the kubelet API on any node by proxying requests through the API server, and can execute commands in any pod. This may represent privileges beyond those expected by the cluster administrator.
Refer to this issue for more information.
Kyverno Policy
Refer to the Nirmata curated policies - restrict-clusterrole-nodesproxy.
Resource Example
Below are examples of two ClusterRole resources that do not have nodes/proxy resource.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: goodcr01
rules:
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: goodcr02
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list"]