Restrict Escalation Verbs Roles

Description

The verbs impersonate, bind, and escalate may all potentially lead to privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources.

Risks

Risks associated with bind, escalate, and impersonate verbs:

Bind Verb

The bind verb poses a risk because it allows users to create or modify role bindings, granting themselves or others access to permissions that they do not already have. If an unauthorized user gains this ability, they can escalate their privileges by binding roles with broad permissions, and allow themselves to have unauthorized access to sensitive resources.

Escalate Verb

A user with escalate privileges can modify the roles or cluster roles that are assigned to them and increase the level of privileges they have. An attacker can exploit this to perform unintended actions in the cluster.

Impersonate Verb

The impersonate verb allows a user to act as another user, group, or service account. This capability is sensitive, as it can lead to security breaches. If an attacker can impersonate a user with elevated privileges, they can execute actions on behalf of that user and negatively impact the cluster.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-escalation-verbs-roles.

Resource Example

Below is an example of a ClusterRole resource that does not include any of the escalation verbs.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: goodcr01
rules:
- apiGroups: [""]
  resources: ["pods", "namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io", "apps"]
  resources: ["deployments", "roles"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["update", "watch", "list"]

Below is an example of a Role resource that does not include any of the escalation verbs.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: goodrole01
rules:
- apiGroups: [""]
  resources: ["pods", "namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io", "apps"]
  resources: ["deployments", "roles"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["update", "watch", "list"]