Permissive Access to Create Pods
- Query id: 592ad21d-ad9b-46c6-8d2d-fad09d62a942
- Query name: Permissive Access to Create Pods
- Platform: Kubernetes
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
The permission to create pods in a cluster should be restricted because it allows privilege escalation.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "watch"
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader2
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get", "watch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader3
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: secret-reader4
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get", "watch", "*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader5
rules:
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "watch"
- "c*e"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader6
rules:
- apiGroups: [""]
resources: ["p*ds"]
verbs: ["get", "watch", "create"]
Positive test num. 2 - yaml file
#this is a problematic code where the query should report a result(s)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- custom
verbs:
- create
- delete
- apiGroups:
- "*"
resources:
- "*"
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader2
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-reader4
rules:
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "watch"