Restrict Escalation Verbs Roles

Description

The verbs impersonate, bind, and escalate may all potentially lead to privilege escalation and should be tightly controlled. This policy prevents use of these verbs in Role or ClusterRole resources.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-escalation-verbs-roles.

Resource Example

Below is an example of a ClusterRole resource that does not include any of the escalation verbs.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: goodcr01
rules:
- apiGroups: [""]
  resources: ["pods", "namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io", "apps"]
  resources: ["deployments", "roles"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["update", "watch", "list"]

Below is an example of a Role resource that does not include any of the escalation verbs.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: goodrole01
rules:
- apiGroups: [""]
  resources: ["pods", "namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io", "apps"]
  resources: ["deployments", "roles"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["update", "watch", "list"]