turbot/steampipe-mod-kubernetes-compliance

Control: ClusterRoles permissions for approving CertificateSigningRequests

Description

Minimize the permissions granted to ClusterRoles for approving CertificateSigningRequests. It is recommended to follow the principle of least privilege to enhance security.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.role_with_rbac_approve_certificate_signing_requests

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.role_with_rbac_approve_certificate_signing_requests --share

SQL

This control uses a named query:

with role_with_escalate as (
select
uid,
count(*) as num
from
kubernetes_cluster_role,
jsonb_array_elements(rules) rule
where
rule -> 'apiGroups' @> '["certificates.k8s.io"]'
and
((rule -> 'resources' @> '["certificatesigningrequests/approval"]' and rule -> 'verbs' @> '["update", "patch"]')
or (rule -> 'resources' @> '["signers"]' and rule -> 'verbs' @> '["approve"]'))
group by
uid
)
select
coalesce(r.uid, concat(r.path, ':', r.start_line)) as resource,
case
when e.num > 0 then 'alarm'
else 'ok'
end as status,
case
when e.num > 0 then name || ' contains ' || e.num || ' RBAC cluster role grant permissions to approve CertificateSigningRequests.'
else name || ' does not contains any cluster role granting permissions to approve CertificateSigningRequests.'
end as reason,
name as role_name
, coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
kubernetes_cluster_role as r
left join role_with_escalate as e on e.uid = r.uid;

Tags