Control: ClusterRoles permissions for approving CertificateSigningRequests
Description
Minimize the permissions granted to ClusterRoles for approving CertificateSigningRequests. It is recommended to follow the principle of least privilege to enhance security.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.role_with_rbac_approve_certificate_signing_requestsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.role_with_rbac_approve_certificate_signing_requests --shareSQL
This control uses a named query:
with role_with_escalate as ( select uid, count(*) as num from kubernetes_cluster_role, jsonb_array_elements(rules) rule where rule -> 'apiGroups' @> '["certificates.k8s.io"]' and ((rule -> 'resources' @> '["certificatesigningrequests/approval"]' and rule -> 'verbs' @> '["update", "patch"]') or (rule -> 'resources' @> '["signers"]' and rule -> 'verbs' @> '["approve"]')) group by uid)select coalesce(r.uid, concat(r.path, ':', r.start_line)) as resource, case when e.num > 0 then 'alarm' else 'ok' end as status, case when e.num > 0 then name || ' contains ' || e.num || ' RBAC cluster role grant permissions to approve CertificateSigningRequests.' else name || ' does not contains any cluster role granting permissions to approve CertificateSigningRequests.' end as reason, name as role_name , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_cluster_role as r left join role_with_escalate as e on e.uid = r.uid;