RBAC Roles with Attach Permission
- Query id: d45330fd-f58d-45fb-a682-6481477a0f84
- Query name: RBAC Roles with Attach Permission
- Platform: Kubernetes
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: allow-attach
rules:
- apiGroups: [""]
resources: ["pods", "pods/attach"]
verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-attach
namespace: my-namespace
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-attach
apiGroup: ""
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: allow-attach-neg
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-attach-neg
namespace: my-namespace
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-attach-neg
apiGroup: ""