Ensure impersonate access to Kubernetes resources is minimized in Kubernetes Role

HIGH

Description

Configuring a role with verb impersonate for resources group/user/* can let attacker impersonate legitimate resources.

Remediation

Make sure use of verb impersonate for any Kubernetes resource is prohibited unless required. To make this change make sure to remove all the RoleBindings or ClusterRoleBindings that are overly permissive.

Policy Details

Rule Reference ID: AC_K8S_0102

CSP: Kubernetes

Remediation Available: No

Domain: Identity and Access Management

Resource: kubernetes_role

Resource Category: Management

Resource Type: Role

Frameworks

GDPR
HIPAA
ISO-27001
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
NSA CISA Kubernetes Hardening Guide 1.0

Detections

Analytics