RBAC Roles with Exec Permission
- Query id: c589f42c-7924-4871-aee2-1cede9bc7cbc
- Query name: RBAC Roles with Exec Permission
- Platform: Kubernetes
- Severity: Medium
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: allow-exec
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec"]
verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-exec
namespace: my-namespace
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-exec
apiGroup: ""
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: my-namespace
name: allow-exec-neg
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-exec-neg
namespace: my-namespace
subjects:
- kind: User
name: bob
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-exec-neg
apiGroup: ""