RBAC Roles with Attach Permission

• Query id: d45330fd-f58d-45fb-a682-6481477a0f84
• Query name: RBAC Roles with Attach Permission
• Platform: Kubernetes
• Severity: Medium
• Category: Access Control
• URL: Github

Description

Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: allow-attach
rules:
- apiGroups: [""]
  resources: ["pods", "pods/attach"]
  verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-attach
  namespace: my-namespace
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-attach
  apiGroup: ""

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: allow-attach-neg
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-attach-neg
  namespace: my-namespace
subjects:
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: allow-attach-neg
  apiGroup: ""