diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index ab0748ae88..21a99f448d 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -14,6 +14,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update Kubernetes Controller Manager service metadata to new format [(#9675)](https://github.com/prowler-cloud/prowler/pull/9675) - Update Kubernetes Core service metadata to new format [(#9676)](https://github.com/prowler-cloud/prowler/pull/9676) - Update Kubernetes Kubelet service metadata to new format [(#9677)](https://github.com/prowler-cloud/prowler/pull/9677) +- Update Kubernetes RBAC service metadata to new format [(#9678)](https://github.com/prowler-cloud/prowler/pull/9678) --- diff --git a/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json index 11f681f7c5..b101179167 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json @@ -1,31 +1,36 @@ { "Provider": "kubernetes", "CheckID": "rbac_cluster_admin_usage", - "CheckTitle": "Ensure that the cluster-admin role is only used where required", + "CheckTitle": "Cluster role binding does not grant the cluster-admin role", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", + "Severity": "critical", "ResourceType": "ClusterRoleBinding", "ResourceGroup": "IAM", - "Description": "This check ensures that the 'cluster-admin' role, which provides wide-ranging powers, is used only where necessary. The 'cluster-admin' role grants super-user access to perform any action on any resource, including all namespaces. It should be applied cautiously to avoid excessive privileges.", - "Risk": "Inappropriate use of the 'cluster-admin' role can lead to excessive privileges, increasing the risk of malicious actions and potentially impacting the cluster's security posture.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles", + "Description": "RBAC ClusterRoleBindings that bind to the `cluster-admin` ClusterRole are identified, showing where subjects receive super-user permissions across all namespaces.", + "Risk": "**Excessive `cluster-admin` grants** give full API control, risking:\n- Secret exfiltration (confidentiality)\n- RBAC tampering (integrity)\n- Destructive actions causing outages (availability)\n\nA compromised subject can escalate, persist via new bindings, and laterally impact all namespaces.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. List ClusterRoleBindings that use cluster-admin:\n ```\n kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name==\"cluster-admin\") | .metadata.name'\n ```\n2. For each name returned, delete the binding:\n ```\n kubectl delete clusterrolebinding \n ```\n3. If access is still required, recreate with least privilege (example uses view):\n ```\n kubectl create clusterrolebinding --clusterrole=view --user=\n ```", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role_binding\" \"\" {\n metadata { name = \"\" }\n role_ref {\n api_group = \"rbac.authorization.k8s.io\"\n kind = \"ClusterRole\"\n name = \"view\" # Critical: replace any \"cluster-admin\" binding with a limited role\n }\n subject {\n kind = \"User\"\n name = \"\"\n }\n}\n```" }, "Recommendation": { - "Text": "Audit and assess the use of 'cluster-admin' role in all ClusterRoleBindings. Ensure it is assigned only to subjects that require such extensive privileges. Consider using more restrictive roles wherever possible.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example" + "Text": "Apply **least privilege**: replace `cluster-admin` with narrowly scoped Roles/ClusterRoles and bind per namespace. Reserve super-user access for break-glass, time-bound with approval and audit. Enforce **separation of duties**, review RBAC regularly, and monitor role/binding changes for **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_cluster_admin_usage" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json index 31bed6351a..13bd0b8f7a 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json @@ -1,31 +1,35 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_csr_approval_access", - "CheckTitle": "Minimize access to the approval sub-resource of certificatesigningrequests objects", + "CheckTitle": "User or group lacks update and patch access to the certificatesigningrequests/approval sub-resource", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "CertificateSigningRequestApproval", + "ResourceType": "ClusterRoleBinding", "ResourceGroup": "security", - "Description": "This check ensures that access to the approval sub-resource of certificate signing request (CSR) objects is restricted. Access to update the approval sub-resource can lead to privilege escalation, allowing creation of new high-privileged user accounts in the cluster.", - "Risk": "Unauthorized access to update the approval sub-resource of CSR objects can lead to significant security vulnerabilities, including unauthorized user creation and privilege escalation.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing", + "Description": "**RBAC assignments** that grant `update` or `patch` on the `certificatesigningrequests/approval` subresource to **users or groups** via cluster-wide roles and bindings.\n\nThis highlights principals allowed to approve CSRs based on permissions defined in referenced ClusterRoles.", + "Risk": "Excess CSR approval rights enable **privilege escalation**. A malicious user can approve CSRs to mint client certificates for arbitrary identities, gaining unauthorized API access, impersonating system components, and enabling **data exfiltration** and tampering, harming **confidentiality** and **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized", - "Other": "", - "Terraform": "" + "CLI": "kubectl delete clusterrolebinding ", + "NativeIaC": "", + "Other": "1. Open the Kubernetes Dashboard\n2. Go to Access control (RBAC) > Cluster Role Bindings\n3. Find the binding that assigns a User or Group to a role permitting certificatesigningrequests/approval\n4. Click the binding, then Delete to remove it\n5. If you must keep the binding: go to Access control (RBAC) > Cluster Roles, open the referenced role, click Edit (YAML), remove the rule that has resource \"certificatesigningrequests/approval\" with verbs [\"update\", \"patch\"], and save", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role\" \"safe\" {\n metadata { name = \"\" }\n # No rules included -> ensures no update/patch on certificatesigningrequests/approval\n}\n\nresource \"kubernetes_cluster_role_binding\" \"safe_bind\" {\n metadata { name = \"\" }\n role_ref {\n api_group = \"rbac.authorization.k8s.io\"\n kind = \"ClusterRole\"\n name = kubernetes_cluster_role.safe.metadata[0].name # Critical: binds subject to a role without CSR approval rights\n }\n subject {\n kind = \"User\" # Use \"Group\" if binding a group\n name = \"\"\n api_group = \"rbac.authorization.k8s.io\"\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict access to the approval sub-resource of CSR objects in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing" + "Text": "Apply **least privilege**: allow CSR approval only to a small, trusted approver role.\n- Enforce **separation of duties** between CSR creation and approval\n- Prefer automated approver controllers over manual grants\n- Regularly review RBAC and remove broad ClusterRoleBindings\n- Use **defense in depth** with auditing and short-lived credentials", + "Url": "https://hub.prowler.com/check/rbac_minimize_csr_approval_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json index cd2e66a691..c19b768c88 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json @@ -1,31 +1,35 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_node_proxy_subresource_access", - "CheckTitle": "Minimize access to the proxy sub-resource of nodes", + "CheckTitle": "User or group has no get, list, or watch permissions on the nodes/proxy sub-resource", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "NodeProxySubResource", + "ResourceType": "ClusterRoleBinding", "ResourceGroup": "container", - "Description": "This check ensures that access to the proxy sub-resource of node objects is restricted. Access to this sub-resource can grant privileges to use the Kubelet API directly, bypassing Kubernetes API controls like audit logging and admission control, potentially leading to privilege escalation.", - "Risk": "Unauthorized access to the proxy sub-resource of node objects can lead to significant security vulnerabilities, including privilege escalation.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes", + "Description": "**RBAC permissions** to the `nodes/proxy` subresource are analyzed. Any user or group granted `get`, `list`, or `watch` via cluster-wide bindings is reported.", + "Risk": "Access to `nodes/proxy` exposes the **Kubelet API** through the apiserver proxy, which can bypass **audit** and **admission** controls. An adversary could execute commands in pods, read sensitive data, and pivot across nodes, impacting confidentiality and integrity; broad access also risks node-wide service disruption.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Identify the ClusterRoleBinding that grants the user/group access: in your RBAC list, locate the binding referencing a ClusterRole that includes resources: nodes/proxy with verbs get, list, or watch\n2. Edit the ClusterRole: run `kubectl edit clusterrole `\n3. In `rules`, remove any entry where `resources` includes `nodes/proxy` and `verbs` includes `get`, `list`, or `watch`; save and exit\n4. If you cannot modify the role (shared role), delete the specific ClusterRoleBinding that attaches it to the user/group: `kubectl delete clusterrolebinding `", + "Terraform": "```hcl\n# Remove nodes/proxy access by defining the ClusterRole without that permission\nresource \"kubernetes_cluster_role\" \"\" {\n metadata {\n name = \"\"\n }\n # Critical fix: no rule granting get/list/watch on \"nodes/proxy\" so subjects won't have that access\n}\n```" }, "Recommendation": { - "Text": "Restrict access to the proxy sub-resource of node objects in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes" + "Text": "Apply **least privilege**: avoid granting any verbs on `nodes/proxy` to users or groups. If access is unavoidable, limit it to trusted admins, scope narrowly, make it time-bound, and enforce **separation of duties**. Prefer namespace roles over cluster-wide bindings and review RBAC regularly as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_minimize_node_proxy_subresource_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json index 1db10b8b4e..a6c5b69c0e 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json @@ -1,31 +1,36 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_pod_creation_access", - "CheckTitle": "Minimize access to create pods", + "CheckTitle": "Role or ClusterRole does not grant create permission on pods", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Pod", + "ResourceType": "ClusterRole", "ResourceGroup": "container", - "Description": "This check ensures that the ability to create pods in a Kubernetes cluster is restricted to a minimal group of users. Limiting pod creation access mitigates the risk of privilege escalation and exposure of sensitive data.", - "Risk": "Unrestricted access to create pods can lead to potential security risks and privilege escalation within the cluster.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "Description": "**Kubernetes RBAC** Roles and ClusterRoles that grant the `create` verb on `pods` are identified.\n\nRules are examined to find permissions allowing pod creation at namespace or cluster scope.", + "Risk": "Overly broad pod-creation rights allow adversaries to run **malicious pods**, mount service account tokens, or request privileged configs, enabling lateral movement. This endangers **confidentiality** (secrets), **integrity** (unauthorized changes), and **availability** (resource abuse, disruption).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubegrade.com/kubernetes-access-control/" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl patch clusterrole -p '{\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"pods\"],\"verbs\":[\"get\",\"list\",\"watch\"]}]}'", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Identify the failing RBAC object (Role or ClusterRole) that allows pods create\n2. For a ClusterRole: run `kubectl edit clusterrole `\n3. For a namespaced Role: run `kubectl edit role -n `\n4. In `rules`, find entries with `resources: [\"pods\"]` and remove `create` from `verbs` (keep only read verbs like get/list/watch)\n5. Save and exit; verify with `kubectl get` that the change applied", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role_v1\" \"\" {\n metadata {\n name = \"\"\n }\n rule {\n api_groups = [\"\"]\n resources = [\"pods\"]\n verbs = [\"get\", \"list\", \"watch\"] # critical: omit \"create\" to prevent pod creation and pass the check\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict pod creation access to minimize security risks.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole" + "Text": "Apply **least privilege**: limit `pods` `create` to narrowly scoped service accounts and namespaces. Use **separation of duties** and avoid wildcards. Enforce controls with **Pod Security Admission** and policy engines (OPA/Kyverno) to block risky specs. Review RBAC regularly and remove unused grants.", + "Url": "https://hub.prowler.com/check/rbac_minimize_pod_creation_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json index 6f5d3fda21..472f136621 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json @@ -1,31 +1,36 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_pv_creation_access", - "CheckTitle": "Minimize access to create persistent volumes", + "CheckTitle": "User or group does not have permission to create PersistentVolumes", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "PersistentVolume", + "ResourceType": "ClusterRoleBinding", "ResourceGroup": "storage", - "Description": "This check ensures that the ability to create persistent volumes in Kubernetes is restricted to authorized users only. Limiting this capability helps prevent privilege escalation scenarios through the creation of hostPath volumes.", - "Risk": "Excessive permissions to create persistent volumes can lead to unauthorized access to sensitive host files, overriding the restrictions imposed by Pod Security Admission policies.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation", + "Description": "**Kubernetes RBAC** mapping of **users or groups** with the `create` verb on `persistentvolumes` through ClusterRoleBindings.\n\nShows which principals can provision PersistentVolumes cluster-wide.", + "Risk": "With `create` on `persistentvolumes`, a principal can define **hostPath PVs** and mount them via claims, exposing node files and bypassing pod safeguards.\n\nResults include secret disclosure and filesystem tampering (**confidentiality**/**integrity**), and potential node compromise affecting **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.radsecurity.ai/blog/what-is-kubernetes-rbac", + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Open the Kubernetes Dashboard (or your cluster RBAC UI)\n2. Navigate to ClusterRoles and select the role referenced by the failing ClusterRoleBinding\n3. Edit the role and locate the rule for resources: persistentvolumes\n4. Remove the verb \"create\" from that rule's verbs list\n5. Save the change to apply updated permissions", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role\" \"\" {\n metadata { name = \"\" }\n\n rule {\n api_groups = [\"\"]\n resources = [\"persistentvolumes\"]\n verbs = [\"get\", \"list\", \"watch\"]\n # Critical: exclude \"create\" on persistentvolumes to prevent PV creation\n # This removes the permission that caused the FAIL finding.\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict access to create persistent volumes in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation" + "Text": "Enforce **least privilege**: permit `create` on `persistentvolumes` only for trusted storage controllers and select administrators.\n\nAdopt **dynamic provisioning**, maintain **separation of duties**, and use **defense in depth** (Pod Security and admission policies) to prevent unsafe volumes like `hostPath`.", + "Url": "https://hub.prowler.com/check/rbac_minimize_pv_creation_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json index bcbd5ab1f3..7f47ad33e6 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json @@ -1,32 +1,37 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_secret_access", - "CheckTitle": "Minimize access to secrets", + "CheckTitle": "Role or ClusterRole does not grant get, list, or watch access to Kubernetes Secrets", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Secrets", + "ResourceType": "ClusterRole", "ResourceGroup": "security", - "Description": "This check ensures that access to secrets in the Kubernetes API is restricted to the smallest possible group of users. Minimizing access to secrets helps in reducing the risk of privilege escalation and potential unauthorized access to sensitive data.", - "Risk": "Inappropriate access to secrets can lead to escalation of privileges and unauthorized access to cluster resources or external resources managed through the secrets.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/configuration/secret/", + "Description": "RBAC Roles and ClusterRoles granting read permissions to **Kubernetes Secrets** are identified. The evaluation looks for rules that allow `get`, `list`, or `watch` on `secrets`, either namespace-scoped or cluster-wide.", + "Risk": "Excessive Secret read access compromises confidentiality of tokens, keys, and credentials. Attackers can harvest service account tokens to impersonate workloads, pivot across namespaces, and modify resources, threatening integrity and availability via lateral movement.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubernetes.io/docs/concepts/configuration/secret/" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Identify the offending Role or ClusterRole name\n2. Edit it: run either `kubectl edit clusterrole ` or `kubectl edit role `\n3. In `rules`, remove any entry where `resources` contains `secrets` with verbs `get`, `list`, or `watch` (or delete those verbs/resources from the rule)\n4. Save and exit; the change applies immediately", + "Terraform": "```hcl\n# Remove secret read permissions by ensuring no rule includes the \"secrets\" resource\nresource \"kubernetes_cluster_role\" \"\" {\n metadata {\n name = \"\"\n }\n rule {\n api_groups = [\"\"]\n resources = [\"pods\"] # Critical: do NOT include \"secrets\" to avoid get/list/watch on Secrets\n verbs = [\"get\"]\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict access to Kubernetes secrets to the smallest possible set of users.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/" + "Text": "Apply **least privilege**: avoid granting `get`, `list`, or `watch` on `secrets` except to narrowly scoped subjects. Constrain by namespace and `resourceNames` where feasible, use dedicated service accounts, avoid wildcards, and enforce **separation of duties** with policy and reviews.", + "Url": "https://hub.prowler.com/check/rbac_minimize_secret_access" } }, "Categories": [ - "trustboundaries", - "encryption" + "identity-access", + "secrets", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json index 5483467eab..ff4933688c 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json @@ -1,31 +1,35 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_service_account_token_creation", - "CheckTitle": "Minimize access to the service account token creation", + "CheckTitle": "User or group does not have permission to create service account tokens", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "ServiceAccountToken", + "ResourceType": "ClusterRoleBinding", "ResourceGroup": "IAM", - "Description": "This check ensures that access to create new service account tokens is restricted within the Kubernetes cluster. Unrestricted token creation can lead to privilege escalation and persistent unauthorized access to the cluster.", - "Risk": "Granting excessive permissions for service account token creation can lead to abuse and compromise of cluster security.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#token-request", + "Description": "Cluster-wide RBAC identifies users or groups granted `create` on `serviceaccounts/token` via **ClusterRoles/ClusterRoleBindings**.\n\nHighlights principals allowed to mint **service account tokens** through the TokenRequest subresource.", + "Risk": "Ability to mint **service account tokens** lets users assume those accounts' API rights, bypassing intended boundaries.\n\nThis enables privilege escalation, persistent access, and lateral movement, threatening confidentiality and integrity of cluster resources.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#token-request" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", + "Other": "1. Identify the ClusterRoleBinding that grants a User/Group the role with create on serviceaccounts/token\n2. Edit the referenced ClusterRole and remove any rule that allows create on resource \"serviceaccounts/token\":\n - kubectl edit clusterrole \n - In .rules[], delete entries with resources: [\"serviceaccounts/token\"] and verb: [\"create\"]\n3. If the permission is only needed for other subjects, alternatively remove the specific User/Group from the ClusterRoleBinding:\n - kubectl edit clusterrolebinding \n - Delete the matching subject under .subjects and save", "Terraform": "" }, "Recommendation": { - "Text": "Restrict access to service account token creation in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#token-request" + "Text": "Enforce **least privilege**: avoid granting `create` on `serviceaccounts/token` to human users or broad groups. Restrict to trusted controllers and scope narrowly with namespaced **Role**/**RoleBinding**.\n\nApply **separation of duties**, periodic RBAC reviews, and **defense in depth** to limit token issuance.", + "Url": "https://hub.prowler.com/check/rbac_minimize_service_account_token_creation" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json index 334e28983f..86418422ea 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json @@ -1,31 +1,35 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_webhook_config_access", - "CheckTitle": "Minimize access to webhook configuration objects", + "CheckTitle": "User or group does not have create, update, or delete permissions on webhook configurations", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "WebhookConfiguration", + "ResourceType": "ClusterRoleBinding", "ResourceGroup": "container", - "Description": "This check ensures that access to webhook configuration objects (validatingwebhookconfigurations and mutatingwebhookconfigurations) is restricted. Unauthorized access or modification of these objects can lead to privilege escalation or disruption of cluster operations.", - "Risk": "Inadequately restricted access to webhook configurations can result in unauthorized control over webhooks, potentially allowing privilege escalation or interference with cluster functionality.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks", + "Description": "User or group RBAC assignments that grant privileges to `create`, `update`, or `delete` `validatingwebhookconfigurations` and `mutatingwebhookconfigurations` are identified.\n\nFocus is on permissions that allow modifying **admission webhook** configuration objects.", + "Risk": "Excess rights over **admission webhooks** allow reading or mutating all admitted API objects, undermining **confidentiality** and **integrity**.\n\nAn attacker could inject privileged mutations, bypass policy, or block admissions, leading to **privilege escalation** and cluster-wide **denial of service**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized", - "Other": "", + "CLI": "kubectl delete clusterrolebinding ", + "NativeIaC": "", + "Other": "1. Identify the ClusterRoleBinding that assigns a User or Group to a ClusterRole with create, update, or delete on validatingwebhookconfigurations or mutatingwebhookconfigurations (e.g., kubectl get clusterrolebindings).\n2. Delete that ClusterRoleBinding, or edit the bound ClusterRole to remove any rules granting those verbs on these resources.\n3. Save/apply the change; no restart is required.", "Terraform": "" }, "Recommendation": { - "Text": "Restrict access to webhook configuration objects in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks" + "Text": "- Enforce **least privilege**; limit webhook config `create`, `update`, `delete` to a small, trusted admin group.\n- Avoid wildcard resources/verbs and use **separation of duties** with change approval.\n- Monitor changes via **audit logging** to provide **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_minimize_webhook_config_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json index faae4af9ec..39af35a5b7 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json @@ -1,31 +1,36 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_wildcard_use_roles", - "CheckTitle": "Minimize wildcard use in Roles and ClusterRoles", + "CheckTitle": "Role or ClusterRole does not use wildcard resources or verbs", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Role/ClusterRole", + "ResourceType": "ClusterRole", "ResourceGroup": "IAM", - "Description": "This check ensures that Roles and ClusterRoles in Kubernetes minimize the use of wildcards. Restricting wildcards enhances security by enforcing the principle of least privilege, ensuring users have only the access required for their role.", - "Risk": "Use of wildcards can lead to excessive rights being granted, potentially allowing users to access or modify resources beyond their scope of responsibility.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "Description": "**Kubernetes RBAC Roles/ClusterRoles** are evaluated for wildcard use in rule `resources` or `verbs`. The presence of `*` means all resources or all actions are granted. This finding highlights roles whose rules include such wildcards.", + "Risk": "Using `*` broadens access beyond intent:\n- Confidentiality: unrestricted reads of sensitive data\n- Integrity/Availability: create/update/delete across resources\n- Privilege escalation and lateral movement\n- Future drift: new APIs/verbs inherit access automatically", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles", - "Other": "", - "Terraform": "" + "CLI": "kubectl patch clusterrole --type=merge -p '{\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"pods\"],\"verbs\":[\"get\"]}]}'", + "NativeIaC": "", + "Other": "1. Run: kubectl edit clusterrole \n2. In rules, replace any resources: [\"*\"] with only the needed resources (e.g., [\"pods\"]).\n3. Replace any verbs: [\"*\"] with only required verbs (e.g., [\"get\"]).\n4. Save and exit. Repeat for any Role or ClusterRole still using wildcards.", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role_v1\" \"\" {\n metadata { name = \"\" }\n\n rule {\n api_groups = [\"\"]\n resources = [\"pods\"] # critical: replace wildcard resources with specific resource\n verbs = [\"get\"] # critical: replace wildcard verbs with specific verb\n }\n}\n```" }, "Recommendation": { - "Text": "Replace wildcards in roles and clusterroles with specific permissions.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources" + "Text": "Apply **least privilege**: replace `*` with explicit `resources`, `verbs`, and `resourceNames`. Split read/write duties, scope Roles to namespaces, use ClusterRoles only when needed, and bind to specific subjects. Periodically review roles to prevent privilege creep as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_minimize_wildcard_use_roles" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [],