Detections
Analytics

Ensure Kubernetes rolebindings with get and patch Kubernetes roles are minimized in Kubernetes Role

MEDIUM

Description

Configuring a Kubernetes role other than for cluster-admin service which allows to get and patch rolebindings can give an attacker chance to add impersonated users/groups.

Remediation

Make sure roles which allow to get and patch rolebindings are allowed only to cluster-admin service account. To make this change make sure to remove all the RoleBindings or ClusterRoleBindings that are overly permissive.

Policy Details

Rule Reference ID: AC_K8S_0108
CSP: Kubernetes
Remediation Available: No
Domain: Identity and Access Management
Resource: kubernetes_role
Resource Category: Management
Resource Type: Role

Frameworks