Roles and cluster roles should not grant ‘create’ permissions for pods¶
Description¶
Minimize access to create pods for RBAC roles. Privilege escalation is possible when these permissions are available, since the created pods could be assigned privileged service accounts or have access to sensitive data. Avoid granting pod creation privileges by default.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that ClusterRole and Roles do not have
create
as a listed permission for pods.
Example Configuration¶
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: example-name
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]