Restrict Escalation Verbs Roles
Description
The verbs impersonate
, bind
, and escalate
may all potentially lead to privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources.
Kyverno Policy
Refer to the Nirmata curated policies - restrict-escalation-verbs-roles.
Resource Example
Below is an example of a ClusterRole
resource that does not include any of the escalation verbs.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: goodcr01
rules:
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io", "apps"]
resources: ["deployments", "roles"]
verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles"]
verbs: ["update", "watch", "list"]
Below is an example of a Role
resource that does not include any of the escalation verbs.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: goodrole01
rules:
- apiGroups: [""]
resources: ["pods", "namespaces"]
verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io", "apps"]
resources: ["deployments", "roles"]
verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles"]
verbs: ["update", "watch", "list"]