Permissive Access to Create Pods

  • Query id: 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba
  • Query name: Permissive Access to Create Pods
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • CWE: 269
  • URL: Github

Description

The permission to create pods in a cluster should be restricted because it allows privilege escalation.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "kubernetes_role" "example1" {
  metadata {
    name = "terraform-example1"
    labels = {
      test = "MyRole"
    }
  }

  rule {
    api_groups     = [""]
    resources      = ["pods"]
    resource_names = ["foo"]
    verbs          = ["create", "list", "watch"]
  }

  rule {
    api_groups = ["apps"]
    resources  = ["deployments"]
    verbs      = ["get", "list"]
  }
}

resource "kubernetes_role" "example2" {
  metadata {
    name = "terraform-example2"
    labels = {
      test = "MyRole"
    }
  }

  rule {
    api_groups     = [""]
    resources      = ["*"]
    resource_names = ["foo"]
    verbs          = ["create", "list", "watch"]
  }
}

resource "kubernetes_role" "example3" {
  metadata {
    name = "terraform-example3"
    labels = {
      test = "MyRole"
    }
  }

  rule {
    api_groups     = [""]
    resources      = ["pods"]
    resource_names = ["foo"]
    verbs          = ["*", "list", "watch"]
  }
}

resource "kubernetes_role" "example4" {
  metadata {
    name = "terraform-example4"
    labels = {
      test = "MyRole"
    }
  }

  rule {
    api_groups     = [""]
    resources      = ["*"]
    resource_names = ["foo"]
    verbs          = ["*", "list", "watch"]
  }
}
Positive test num. 2 - tf file
resource "kubernetes_cluster_role" "example1" {
  metadata {
    name = "terraform-example1"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "pods"]
    verbs      = ["create", "list", "watch"]
  }
}

resource "kubernetes_cluster_role" "example2" {
  metadata {
    name = "terraform-example2"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "*"]
    verbs      = ["create", "list", "watch"]
  }
}

resource "kubernetes_cluster_role" "example3" {
  metadata {
    name = "terraform-example3"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "*"]
    verbs      = ["*", "list", "watch"]
  }
}

resource "kubernetes_cluster_role" "example4" {
  metadata {
    name = "terraform-example4"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "pods"]
    verbs      = ["*", "list", "watch"]
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "kubernetes_role" "example" {
  metadata {
    name = "terraform-example"
    labels = {
      test = "MyRole"
    }
  }

  rule {
    api_groups     = [""]
    resources      = ["pods"]
    resource_names = ["foo"]
    verbs          = ["get", "list", "watch"]
  }
  rule {
    api_groups = ["apps"]
    resources  = ["deployments"]
    verbs      = ["get", "list"]
  }
}
Negative test num. 2 - tf file
resource "kubernetes_cluster_role" "example" {
  metadata {
    name = "terraform-example"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "pods"]
    verbs      = ["get", "list", "watch"]
  }
}