diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..ee33a89cfc 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update Kubernetes RBAC service metadata to new format [(#9678)](https://github.com/prowler-cloud/prowler/pull/9678) + --- diff --git a/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json index 576ef4ab30..4624a378b6 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_cluster_admin_usage/rbac_cluster_admin_usage.metadata.json @@ -1,30 +1,35 @@ { "Provider": "kubernetes", "CheckID": "rbac_cluster_admin_usage", - "CheckTitle": "Ensure that the cluster-admin role is only used where required", + "CheckTitle": "Cluster role binding does not grant the cluster-admin role", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", + "Severity": "critical", "ResourceType": "ClusterRoleBinding", - "Description": "This check ensures that the 'cluster-admin' role, which provides wide-ranging powers, is used only where necessary. The 'cluster-admin' role grants super-user access to perform any action on any resource, including all namespaces. It should be applied cautiously to avoid excessive privileges.", - "Risk": "Inappropriate use of the 'cluster-admin' role can lead to excessive privileges, increasing the risk of malicious actions and potentially impacting the cluster's security posture.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles", + "Description": "RBAC ClusterRoleBindings that bind to the `cluster-admin` ClusterRole are identified, showing where subjects receive super-user permissions across all namespaces.", + "Risk": "**Excessive `cluster-admin` grants** give full API control, risking:\n- Secret exfiltration (confidentiality)\n- RBAC tampering (integrity)\n- Destructive actions causing outages (availability)\n\nA compromised subject can escalate, persist via new bindings, and laterally impact all namespaces.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. List ClusterRoleBindings that use cluster-admin:\n ```\n kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name==\"cluster-admin\") | .metadata.name'\n ```\n2. For each name returned, delete the binding:\n ```\n kubectl delete clusterrolebinding \n ```\n3. If access is still required, recreate with least privilege (example uses view):\n ```\n kubectl create clusterrolebinding --clusterrole=view --user=\n ```", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role_binding\" \"\" {\n metadata { name = \"\" }\n role_ref {\n api_group = \"rbac.authorization.k8s.io\"\n kind = \"ClusterRole\"\n name = \"view\" # Critical: replace any \"cluster-admin\" binding with a limited role\n }\n subject {\n kind = \"User\"\n name = \"\"\n }\n}\n```" }, "Recommendation": { - "Text": "Audit and assess the use of 'cluster-admin' role in all ClusterRoleBindings. Ensure it is assigned only to subjects that require such extensive privileges. Consider using more restrictive roles wherever possible.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example" + "Text": "Apply **least privilege**: replace `cluster-admin` with narrowly scoped Roles/ClusterRoles and bind per namespace. Reserve super-user access for break-glass, time-bound with approval and audit. Enforce **separation of duties**, review RBAC regularly, and monitor role/binding changes for **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_cluster_admin_usage" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json index 0eacde8322..4bff26c9e8 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_csr_approval_access/rbac_minimize_csr_approval_access.metadata.json @@ -1,30 +1,34 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_csr_approval_access", - "CheckTitle": "Minimize access to the approval sub-resource of certificatesigningrequests objects", + "CheckTitle": "User or group lacks update and patch access to the certificatesigningrequests/approval sub-resource", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "CertificateSigningRequestApproval", - "Description": "This check ensures that access to the approval sub-resource of certificate signing request (CSR) objects is restricted. Access to update the approval sub-resource can lead to privilege escalation, allowing creation of new high-privileged user accounts in the cluster.", - "Risk": "Unauthorized access to update the approval sub-resource of CSR objects can lead to significant security vulnerabilities, including unauthorized user creation and privilege escalation.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing", + "Severity": "critical", + "ResourceType": "ClusterRoleBinding", + "Description": "**RBAC assignments** that grant `update` or `patch` on the `certificatesigningrequests/approval` subresource to **users or groups** via cluster-wide roles and bindings.\n\nThis highlights principals allowed to approve CSRs based on permissions defined in referenced ClusterRoles.", + "Risk": "Excess CSR approval rights enable **privilege escalation**. A malicious user can approve CSRs to mint client certificates for arbitrary identities, gaining unauthorized API access, impersonating system components, and enabling **data exfiltration** and tampering, harming **confidentiality** and **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized", - "Other": "", - "Terraform": "" + "CLI": "kubectl delete clusterrolebinding ", + "NativeIaC": "", + "Other": "1. Open the Kubernetes Dashboard\n2. Go to Access control (RBAC) > Cluster Role Bindings\n3. Find the binding that assigns a User or Group to a role permitting certificatesigningrequests/approval\n4. Click the binding, then Delete to remove it\n5. If you must keep the binding: go to Access control (RBAC) > Cluster Roles, open the referenced role, click Edit (YAML), remove the rule that has resource \"certificatesigningrequests/approval\" with verbs [\"update\", \"patch\"], and save", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role\" \"safe\" {\n metadata { name = \"\" }\n # No rules included -> ensures no update/patch on certificatesigningrequests/approval\n}\n\nresource \"kubernetes_cluster_role_binding\" \"safe_bind\" {\n metadata { name = \"\" }\n role_ref {\n api_group = \"rbac.authorization.k8s.io\"\n kind = \"ClusterRole\"\n name = kubernetes_cluster_role.safe.metadata[0].name # Critical: binds subject to a role without CSR approval rights\n }\n subject {\n kind = \"User\" # Use \"Group\" if binding a group\n name = \"\"\n api_group = \"rbac.authorization.k8s.io\"\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict access to the approval sub-resource of CSR objects in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing" + "Text": "Apply **least privilege**: allow CSR approval only to a small, trusted approver role.\n- Enforce **separation of duties** between CSR creation and approval\n- Prefer automated approver controllers over manual grants\n- Regularly review RBAC and remove broad ClusterRoleBindings\n- Use **defense in depth** with auditing and short-lived credentials", + "Url": "https://hub.prowler.com/check/rbac_minimize_csr_approval_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json index d5b847273e..1e1f96a893 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_node_proxy_subresource_access/rbac_minimize_node_proxy_subresource_access.metadata.json @@ -1,30 +1,36 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_node_proxy_subresource_access", - "CheckTitle": "Minimize access to the proxy sub-resource of nodes", + "CheckTitle": "User or group has no get, list, or watch permissions on the nodes/proxy sub-resource", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "NodeProxySubResource", - "Description": "This check ensures that access to the proxy sub-resource of node objects is restricted. Access to this sub-resource can grant privileges to use the Kubelet API directly, bypassing Kubernetes API controls like audit logging and admission control, potentially leading to privilege escalation.", - "Risk": "Unauthorized access to the proxy sub-resource of node objects can lead to significant security vulnerabilities, including privilege escalation.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes", + "Severity": "critical", + "ResourceType": "ClusterRoleBinding", + "Description": "**RBAC permissions** to the `nodes/proxy` subresource are analyzed. Any user or group granted `get`, `list`, or `watch` via cluster-wide bindings is reported.", + "Risk": "Access to `nodes/proxy` exposes the **Kubelet API** through the apiserver proxy, which can bypass **audit** and **admission** controls. An adversary could execute commands in pods, read sensitive data, and pivot across nodes, impacting confidentiality and integrity; broad access also risks node-wide service disruption.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes", + "https://www.linkedin.com/pulse/kubernetes-docker-security-best-practices-mahesh-guruprasad", + "https://stackoverflow.com/questions/69200128/what-is-node-proxy-subresource-in-kubernetes" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Identify the ClusterRoleBinding that grants the user/group access: in your RBAC list, locate the binding referencing a ClusterRole that includes resources: nodes/proxy with verbs get, list, or watch\n2. Edit the ClusterRole: run `kubectl edit clusterrole `\n3. In `rules`, remove any entry where `resources` includes `nodes/proxy` and `verbs` includes `get`, `list`, or `watch`; save and exit\n4. If you cannot modify the role (shared role), delete the specific ClusterRoleBinding that attaches it to the user/group: `kubectl delete clusterrolebinding `", + "Terraform": "```hcl\n# Remove nodes/proxy access by defining the ClusterRole without that permission\nresource \"kubernetes_cluster_role\" \"\" {\n metadata {\n name = \"\"\n }\n # Critical fix: no rule granting get/list/watch on \"nodes/proxy\" so subjects won't have that access\n}\n```" }, "Recommendation": { - "Text": "Restrict access to the proxy sub-resource of node objects in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes" + "Text": "Apply **least privilege**: avoid granting any verbs on `nodes/proxy` to users or groups. If access is unavoidable, limit it to trusted admins, scope narrowly, make it time-bound, and enforce **separation of duties**. Prefer namespace roles over cluster-wide bindings and review RBAC regularly as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_minimize_node_proxy_subresource_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json index 659c78192f..4c9ed9f0c2 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pod_creation_access/rbac_minimize_pod_creation_access.metadata.json @@ -1,30 +1,40 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_pod_creation_access", - "CheckTitle": "Minimize access to create pods", + "CheckTitle": "Kubernetes Role or ClusterRole does not grant create permission on pods", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Pod", - "Description": "This check ensures that the ability to create pods in a Kubernetes cluster is restricted to a minimal group of users. Limiting pod creation access mitigates the risk of privilege escalation and exposure of sensitive data.", - "Risk": "Unrestricted access to create pods can lead to potential security risks and privilege escalation within the cluster.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "ResourceType": "ClusterRole", + "Description": "**Kubernetes RBAC** Roles and ClusterRoles that grant the `create` verb on `pods` are identified.\n\nRules are examined to find permissions allowing pod creation at namespace or cluster scope.", + "Risk": "Overly broad pod-creation rights allow adversaries to run **malicious pods**, mount service account tokens, or request privileged configs, enabling lateral movement. This endangers **confidentiality** (secrets), **integrity** (unauthorized changes), and **availability** (resource abuse, disruption).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://atmosly.com/blog/kubernetes-rbac-complete-authorization-guide-with-examples-2025", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubegrade.com/kubernetes-access-control/", + "https://www.paloaltonetworks.com/cyberpedia/kubernetes-security", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole", + "https://www.ewere.tech/blog/rbac-in-kubernetes-role-based-approach-to-regulating-access-4304a6/", + "https://www.linkedin.com/pulse/day2460-rbac-service-accounts-master-kubernetes-least-chikkela-twnpe" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl patch clusterrole -p '{\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"pods\"],\"verbs\":[\"get\",\"list\",\"watch\"]}]}'", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Identify the failing RBAC object (Role or ClusterRole) that allows pods create\n2. For a ClusterRole: run `kubectl edit clusterrole `\n3. For a namespaced Role: run `kubectl edit role -n `\n4. In `rules`, find entries with `resources: [\"pods\"]` and remove `create` from `verbs` (keep only read verbs like get/list/watch)\n5. Save and exit; verify with `kubectl get` that the change applied", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role_v1\" \"\" {\n metadata {\n name = \"\"\n }\n rule {\n api_groups = [\"\"]\n resources = [\"pods\"]\n verbs = [\"get\", \"list\", \"watch\"] # critical: omit \"create\" to prevent pod creation and pass the check\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict pod creation access to minimize security risks.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole" + "Text": "Apply **least privilege**: limit `pods` `create` to narrowly scoped service accounts and namespaces. Use **separation of duties** and avoid wildcards. Enforce controls with **Pod Security Admission** and policy engines (OPA/Kyverno) to block risky specs. Review RBAC regularly and remove unused grants.", + "Url": "https://hub.prowler.com/check/rbac_minimize_pod_creation_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json index ad3c7c0d09..09f92a33b7 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_pv_creation_access/rbac_minimize_pv_creation_access.metadata.json @@ -1,30 +1,38 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_pv_creation_access", - "CheckTitle": "Minimize access to create persistent volumes", + "CheckTitle": "User or group does not have permission to create PersistentVolumes", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "PersistentVolume", - "Description": "This check ensures that the ability to create persistent volumes in Kubernetes is restricted to authorized users only. Limiting this capability helps prevent privilege escalation scenarios through the creation of hostPath volumes.", - "Risk": "Excessive permissions to create persistent volumes can lead to unauthorized access to sensitive host files, overriding the restrictions imposed by Pod Security Admission policies.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation", + "ResourceType": "ClusterRoleBinding", + "Description": "**Kubernetes RBAC** mapping of **users or groups** with the `create` verb on `persistentvolumes` through ClusterRoleBindings.\n\nShows which principals can provision PersistentVolumes cluster-wide.", + "Risk": "With `create` on `persistentvolumes`, a principal can define **hostPath PVs** and mount them via claims, exposing node files and bypassing pod safeguards.\n\nResults include secret disclosure and filesystem tampering (**confidentiality**/**integrity**), and potential node compromise affecting **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://github.com/kubernetes/kubernetes/issues/81110", + "https://www.radsecurity.ai/blog/what-is-kubernetes-rbac", + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://www.bogotobogo.com/DevOps/Docker/Docker_Kubernetes_PersistentVolumes_PersistentVolumeClaims.php", + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. Open the Kubernetes Dashboard (or your cluster RBAC UI)\n2. Navigate to ClusterRoles and select the role referenced by the failing ClusterRoleBinding\n3. Edit the role and locate the rule for resources: persistentvolumes\n4. Remove the verb \"create\" from that rule's verbs list\n5. Save the change to apply updated permissions", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role\" \"\" {\n metadata { name = \"\" }\n\n rule {\n api_groups = [\"\"]\n resources = [\"persistentvolumes\"]\n verbs = [\"get\", \"list\", \"watch\"]\n # Critical: exclude \"create\" on persistentvolumes to prevent PV creation\n # This removes the permission that caused the FAIL finding.\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict access to create persistent volumes in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation" + "Text": "Enforce **least privilege**: permit `create` on `persistentvolumes` only for trusted storage controllers and select administrators.\n\nAdopt **dynamic provisioning**, maintain **separation of duties**, and use **defense in depth** (Pod Security and admission policies) to prevent unsafe volumes like `hostPath`.", + "Url": "https://hub.prowler.com/check/rbac_minimize_pv_creation_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json index 7e0c668d5f..6fe949416e 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_secret_access/rbac_minimize_secret_access.metadata.json @@ -1,31 +1,36 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_secret_access", - "CheckTitle": "Minimize access to secrets", + "CheckTitle": "Role or ClusterRole does not grant get, list, or watch access to Kubernetes Secrets", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Secrets", - "Description": "This check ensures that access to secrets in the Kubernetes API is restricted to the smallest possible group of users. Minimizing access to secrets helps in reducing the risk of privilege escalation and potential unauthorized access to sensitive data.", - "Risk": "Inappropriate access to secrets can lead to escalation of privileges and unauthorized access to cluster resources or external resources managed through the secrets.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/configuration/secret/", + "ResourceType": "ClusterRole", + "Description": "RBAC Roles and ClusterRoles granting read permissions to **Kubernetes Secrets** are identified. The evaluation looks for rules that allow `get`, `list`, or `watch` on `secrets`, either namespace-scoped or cluster-wide.", + "Risk": "Excessive Secret read access compromises confidentiality of tokens, keys, and credentials. Attackers can harvest service account tokens to impersonate workloads, pivot across namespaces, and modify resources, threatening integrity and availability via lateral movement.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubernetes.io/docs/concepts/configuration/secret/" + ], "Remediation": { "Code": { "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/no-serviceaccountnode-should-be-able-to-read-all-secrets", - "Other": "", - "Terraform": "" + "NativeIaC": "", + "Other": "1. Identify the offending Role or ClusterRole name\n2. Edit it: run either `kubectl edit clusterrole ` or `kubectl edit role `\n3. In `rules`, remove any entry where `resources` contains `secrets` with verbs `get`, `list`, or `watch` (or delete those verbs/resources from the rule)\n4. Save and exit; the change applies immediately", + "Terraform": "```hcl\n# Remove secret read permissions by ensuring no rule includes the \"secrets\" resource\nresource \"kubernetes_cluster_role\" \"\" {\n metadata {\n name = \"\"\n }\n rule {\n api_groups = [\"\"]\n resources = [\"pods\"] # Critical: do NOT include \"secrets\" to avoid get/list/watch on Secrets\n verbs = [\"get\"]\n }\n}\n```" }, "Recommendation": { - "Text": "Restrict access to Kubernetes secrets to the smallest possible set of users.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/" + "Text": "Apply **least privilege**: avoid granting `get`, `list`, or `watch` on `secrets` except to narrowly scoped subjects. Constrain by namespace and `resourceNames` where feasible, use dedicated service accounts, avoid wildcards, and enforce **separation of duties** with policy and reviews.", + "Url": "https://hub.prowler.com/check/rbac_minimize_secret_access" } }, "Categories": [ - "trustboundaries", - "encryption" + "identity-access", + "secrets", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json index 362b938341..2a67aa88e2 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_service_account_token_creation/rbac_minimize_service_account_token_creation.metadata.json @@ -1,30 +1,34 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_service_account_token_creation", - "CheckTitle": "Minimize access to the service account token creation", + "CheckTitle": "User or group does not have permission to create service account tokens", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "ServiceAccountToken", - "Description": "This check ensures that access to create new service account tokens is restricted within the Kubernetes cluster. Unrestricted token creation can lead to privilege escalation and persistent unauthorized access to the cluster.", - "Risk": "Granting excessive permissions for service account token creation can lead to abuse and compromise of cluster security.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#token-request", + "Severity": "critical", + "ResourceType": "ClusterRoleBinding", + "Description": "Cluster-wide RBAC identifies users or groups granted `create` on `serviceaccounts/token` via **ClusterRoles/ClusterRoleBindings**.\n\nHighlights principals allowed to mint **service account tokens** through the TokenRequest subresource.", + "Risk": "Ability to mint **service account tokens** lets users assume those accounts' API rights, bypassing intended boundaries.\n\nThis enables privilege escalation, persistent access, and lateral movement, threatening confidentiality and integrity of cluster resources.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#token-request" + ], "Remediation": { "Code": { - "CLI": "", + "CLI": "kubectl delete clusterrolebinding ", "NativeIaC": "", - "Other": "", + "Other": "1. Identify the ClusterRoleBinding that grants a User/Group the role with create on serviceaccounts/token\n2. Edit the referenced ClusterRole and remove any rule that allows create on resource \"serviceaccounts/token\":\n - kubectl edit clusterrole \n - In .rules[], delete entries with resources: [\"serviceaccounts/token\"] and verb: [\"create\"]\n3. If the permission is only needed for other subjects, alternatively remove the specific User/Group from the ClusterRoleBinding:\n - kubectl edit clusterrolebinding \n - Delete the matching subject under .subjects and save", "Terraform": "" }, "Recommendation": { - "Text": "Restrict access to service account token creation in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#token-request" + "Text": "Enforce **least privilege**: avoid granting `create` on `serviceaccounts/token` to human users or broad groups. Restrict to trusted controllers and scope narrowly with namespaced **Role**/**RoleBinding**.\n\nApply **separation of duties**, periodic RBAC reviews, and **defense in depth** to limit token issuance.", + "Url": "https://hub.prowler.com/check/rbac_minimize_service_account_token_creation" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json index 0276f7f0bd..0c1528c30a 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_webhook_config_access/rbac_minimize_webhook_config_access.metadata.json @@ -1,30 +1,34 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_webhook_config_access", - "CheckTitle": "Minimize access to webhook configuration objects", + "CheckTitle": "User or group does not have create, update, or delete permissions on webhook configurations", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "WebhookConfiguration", - "Description": "This check ensures that access to webhook configuration objects (validatingwebhookconfigurations and mutatingwebhookconfigurations) is restricted. Unauthorized access or modification of these objects can lead to privilege escalation or disruption of cluster operations.", - "Risk": "Inadequately restricted access to webhook configurations can result in unauthorized control over webhooks, potentially allowing privilege escalation or interference with cluster functionality.", - "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks", + "Severity": "critical", + "ResourceType": "ClusterRoleBinding", + "Description": "User or group RBAC assignments that grant privileges to `create`, `update`, or `delete` `validatingwebhookconfigurations` and `mutatingwebhookconfigurations` are identified.\n\nFocus is on permissions that allow modifying **admission webhook** configuration objects.", + "Risk": "Excess rights over **admission webhooks** allow reading or mutating all admitted API objects, undermining **confidentiality** and **integrity**.\n\nAn attacker could inject privileged mutations, bypass policy, or block admissions, leading to **privilege escalation** and cluster-wide **denial of service**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized", - "Other": "", + "CLI": "kubectl delete clusterrolebinding ", + "NativeIaC": "", + "Other": "1. Identify the ClusterRoleBinding that assigns a User or Group to a ClusterRole with create, update, or delete on validatingwebhookconfigurations or mutatingwebhookconfigurations (e.g., kubectl get clusterrolebindings).\n2. Delete that ClusterRoleBinding, or edit the bound ClusterRole to remove any rules granting those verbs on these resources.\n3. Save/apply the change; no restart is required.", "Terraform": "" }, "Recommendation": { - "Text": "Restrict access to webhook configuration objects in the cluster.", - "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks" + "Text": "- Enforce **least privilege**; limit webhook config `create`, `update`, `delete` to a small, trusted admin group.\n- Avoid wildcard resources/verbs and use **separation of duties** with change approval.\n- Monitor changes via **audit logging** to provide **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_minimize_webhook_config_access" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json b/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json index 745d1ad82c..c4397aa5a1 100644 --- a/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json +++ b/prowler/providers/kubernetes/services/rbac/rbac_minimize_wildcard_use_roles/rbac_minimize_wildcard_use_roles.metadata.json @@ -1,30 +1,35 @@ { "Provider": "kubernetes", "CheckID": "rbac_minimize_wildcard_use_roles", - "CheckTitle": "Minimize wildcard use in Roles and ClusterRoles", + "CheckTitle": "Role or ClusterRole does not use wildcard resources or verbs", "CheckType": [], "ServiceName": "rbac", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Role/ClusterRole", - "Description": "This check ensures that Roles and ClusterRoles in Kubernetes minimize the use of wildcards. Restricting wildcards enhances security by enforcing the principle of least privilege, ensuring users have only the access required for their role.", - "Risk": "Use of wildcards can lead to excessive rights being granted, potentially allowing users to access or modify resources beyond their scope of responsibility.", - "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "ResourceType": "ClusterRole", + "Description": "**Kubernetes RBAC Roles/ClusterRoles** are evaluated for wildcard use in rule `resources` or `verbs`. The presence of `*` means all resources or all actions are granted. This finding highlights roles whose rules include such wildcards.", + "Risk": "Using `*` broadens access beyond intent:\n- Confidentiality: unrestricted reads of sensitive data\n- Integrity/Availability: create/update/delete across resources\n- Privilege escalation and lateral movement\n- Future drift: new APIs/verbs inherit access automatically", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources" + ], "Remediation": { "Code": { - "CLI": "", - "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles", - "Other": "", - "Terraform": "" + "CLI": "kubectl patch clusterrole --type=merge -p '{\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"pods\"],\"verbs\":[\"get\"]}]}'", + "NativeIaC": "", + "Other": "1. Run: kubectl edit clusterrole \n2. In rules, replace any resources: [\"*\"] with only the needed resources (e.g., [\"pods\"]).\n3. Replace any verbs: [\"*\"] with only required verbs (e.g., [\"get\"]).\n4. Save and exit. Repeat for any Role or ClusterRole still using wildcards.", + "Terraform": "```hcl\nresource \"kubernetes_cluster_role_v1\" \"\" {\n metadata { name = \"\" }\n\n rule {\n api_groups = [\"\"]\n resources = [\"pods\"] # critical: replace wildcard resources with specific resource\n verbs = [\"get\"] # critical: replace wildcard verbs with specific verb\n }\n}\n```" }, "Recommendation": { - "Text": "Replace wildcards in roles and clusterroles with specific permissions.", - "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources" + "Text": "Apply **least privilege**: replace `*` with explicit `resources`, `verbs`, and `resourceNames`. Split read/write duties, scope Roles to namespaces, use ClusterRoles only when needed, and bind to specific subjects. Periodically review roles to prevent privilege creep as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/rbac_minimize_wildcard_use_roles" } }, "Categories": [ - "trustboundaries" + "identity-access", + "cluster-security" ], "DependsOn": [], "RelatedTo": [],