Control: ClusterRoles permissions to escalate Roles or ClusterRoles should be minimized
Description
Minimize the permissions granted to ClusterRoles to escalate Roles or ClusterRoles. It is recommended to follow the principle of least privilege to enhance security.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.role_with_rbac_escalate_permissionsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.role_with_rbac_escalate_permissions --shareSQL
This control uses a named query:
with role_with_escalate as ( select uid, count(*) as num from kubernetes_cluster_role, jsonb_array_elements(rules) rule where rule -> 'apiGroups' @> '["rbac.authorization.k8s.io"]' and ( rule -> 'resources' @> '["roles"]' or rule -> 'resources' @> '["clusterroles"]' ) and rule -> 'verbs' @> '["escalate"]' group by uid union select uid, count(*) as num from kubernetes_role, jsonb_array_elements(rules) rule where rule -> 'apiGroups' @> '["rbac.authorization.k8s.io"]' and ( rule -> 'resources' @> '["roles"]' or rule -> 'resources' @> '["clusterroles"]' ) and rule -> 'verbs' @> '["escalate"]' group by uid), union_role_and_cluster_role as ( select uid, path, name, start_line, end_line, source_type, context_name, tags, _ctx from kubernetes_role union select uid, path, name, start_line, end_line, source_type, context_name, tags, _ctx from kubernetes_cluster_role)select coalesce(r.uid, concat(r.path, ':', r.start_line)) as resource, case when e.num > 0 then 'alarm' else 'ok' end as status, case when e.num > 0 then name || ' contains ' || e.num || ' RBAC escalate permissions.' else name || ' does not contain any RBAC escalate permissions.' end as reason, name as role_name , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom union_role_and_cluster_role as r left join role_with_escalate as e on e.uid = r.uid