Information
Users with access to the update the approval sub-resource of certificateaigningrequest objects can approve new client certificates for the Kubernetes API effectively allowing them to create new high-privileged user accounts.
This can allow for privilege escalation to full cluster administrator, depending on users configured in the cluster
Rationale:
The ability to update certificate signing requests should be limited.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Where possible, remove access to the approval sub-resource of certificatesigningrequest objects.