prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update Kubernetes RBAC service metadata to new format [(#9678)](https://github.com/prowler-cloud/prowler/pull/9678)
+
 
 ---
 

@@ -1,30 +1,35 @@
 {
   "Provider": "kubernetes",
   "CheckID": "rbac_cluster_admin_usage",
-  "CheckTitle": "Ensure that the cluster-admin role is only used where required",
+  "CheckTitle": "Cluster role binding does not grant the cluster-admin role",
   "CheckType": [],
   "ServiceName": "rbac",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
+  "Severity": "critical",
   "ResourceType": "ClusterRoleBinding",
-  "Description": "This check ensures that the 'cluster-admin' role, which provides wide-ranging powers, is used only where necessary. The 'cluster-admin' role grants super-user access to perform any action on any resource, including all namespaces. It should be applied cautiously to avoid excessive privileges.",
-  "Risk": "Inappropriate use of the 'cluster-admin' role can lead to excessive privileges, increasing the risk of malicious actions and potentially impacting the cluster's security posture.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles",
+  "Description": "RBAC ClusterRoleBindings that bind to the `cluster-admin` ClusterRole are identified, showing where subjects receive super-user permissions across all namespaces.",
+  "Risk": "**Excessive `cluster-admin` grants** give full API control, risking:\n- Secret exfiltration (confidentiality)\n- RBAC tampering (integrity)\n- Destructive actions causing outages (availability)\n\nA compromised subject can escalate, persist via new bindings, and laterally impact all namespaces.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles",
+    "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "kubectl delete clusterrolebinding <example_resource_name>",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. List ClusterRoleBindings that use cluster-admin:\n   ```\n   kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name==\"cluster-admin\") | .metadata.name'\n   ```\n2. For each name returned, delete the binding:\n   ```\n   kubectl delete clusterrolebinding <example_resource_name>\n   ```\n3. If access is still required, recreate with least privilege (example uses view):\n   ```\n   kubectl create clusterrolebinding <example_resource_name> --clusterrole=view --user=<example_resource_id>\n   ```",
+      "Terraform": "```hcl\nresource \"kubernetes_cluster_role_binding\" \"<example_resource_name>\" {\n  metadata { name = \"<example_resource_name>\" }\n  role_ref {\n    api_group = \"rbac.authorization.k8s.io\"\n    kind      = \"ClusterRole\"\n    name      = \"view\" # Critical: replace any \"cluster-admin\" binding with a limited role\n  }\n  subject {\n    kind = \"User\"\n    name = \"<example_resource_id>\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Audit and assess the use of 'cluster-admin' role in all ClusterRoleBindings. Ensure it is assigned only to subjects that require such extensive privileges. Consider using more restrictive roles wherever possible.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#clusterrolebinding-example"
+      "Text": "Apply **least privilege**: replace `cluster-admin` with narrowly scoped Roles/ClusterRoles and bind per namespace. Reserve super-user access for break-glass, time-bound with approval and audit. Enforce **separation of duties**, review RBAC regularly, and monitor role/binding changes for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/rbac_cluster_admin_usage"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "identity-access",
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,30 +1,34 @@
 {
   "Provider": "kubernetes",
   "CheckID": "rbac_minimize_csr_approval_access",
-  "CheckTitle": "Minimize access to the approval sub-resource of certificatesigningrequests objects",
+  "CheckTitle": "User or group lacks update and patch access to the certificatesigningrequests/approval sub-resource",
   "CheckType": [],
   "ServiceName": "rbac",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "CertificateSigningRequestApproval",
-  "Description": "This check ensures that access to the approval sub-resource of certificate signing request (CSR) objects is restricted. Access to update the approval sub-resource can lead to privilege escalation, allowing creation of new high-privileged user accounts in the cluster.",
-  "Risk": "Unauthorized access to update the approval sub-resource of CSR objects can lead to significant security vulnerabilities, including unauthorized user creation and privilege escalation.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing",
+  "Severity": "critical",
+  "ResourceType": "ClusterRoleBinding",
+  "Description": "**RBAC assignments** that grant `update` or `patch` on the `certificatesigningrequests/approval` subresource to **users or groups** via cluster-wide roles and bindings.\n\nThis highlights principals allowed to approve CSRs based on permissions defined in referenced ClusterRoles.",
+  "Risk": "Excess CSR approval rights enable **privilege escalation**. A malicious user can approve CSRs to mint client certificates for arbitrary identities, gaining unauthorized API access, impersonating system components, and enabling **data exfiltration** and tampering, harming **confidentiality** and **integrity**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
-      "NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "kubectl delete clusterrolebinding <example_resource_name>",
+      "NativeIaC": "",
+      "Other": "1. Open the Kubernetes Dashboard\n2. Go to Access control (RBAC) > Cluster Role Bindings\n3. Find the binding that assigns a User or Group to a role permitting certificatesigningrequests/approval\n4. Click the binding, then Delete to remove it\n5. If you must keep the binding: go to Access control (RBAC) > Cluster Roles, open the referenced role, click Edit (YAML), remove the rule that has resource \"certificatesigningrequests/approval\" with verbs [\"update\", \"patch\"], and save",
+      "Terraform": "```hcl\nresource \"kubernetes_cluster_role\" \"safe\" {\n  metadata { name = \"<example_resource_name>\" }\n  # No rules included -> ensures no update/patch on certificatesigningrequests/approval\n}\n\nresource \"kubernetes_cluster_role_binding\" \"safe_bind\" {\n  metadata { name = \"<example_resource_name>\" }\n  role_ref {\n    api_group = \"rbac.authorization.k8s.io\"\n    kind      = \"ClusterRole\"\n    name      = kubernetes_cluster_role.safe.metadata[0].name  # Critical: binds subject to a role without CSR approval rights\n  }\n  subject {\n    kind      = \"User\"  # Use \"Group\" if binding a group\n    name      = \"<example_user_or_group>\"\n    api_group = \"rbac.authorization.k8s.io\"\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Restrict access to the approval sub-resource of CSR objects in the cluster.",
-      "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#csrs-and-certificate-issuing"
+      "Text": "Apply **least privilege**: allow CSR approval only to a small, trusted approver role.\n- Enforce **separation of duties** between CSR creation and approval\n- Prefer automated approver controllers over manual grants\n- Regularly review RBAC and remove broad ClusterRoleBindings\n- Use **defense in depth** with auditing and short-lived credentials",
+      "Url": "https://hub.prowler.com/check/rbac_minimize_csr_approval_access"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "identity-access",
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,30 +1,36 @@
 {
   "Provider": "kubernetes",
   "CheckID": "rbac_minimize_node_proxy_subresource_access",
-  "CheckTitle": "Minimize access to the proxy sub-resource of nodes",
+  "CheckTitle": "User or group has no get, list, or watch permissions on the nodes/proxy sub-resource",
   "CheckType": [],
   "ServiceName": "rbac",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "NodeProxySubResource",
-  "Description": "This check ensures that access to the proxy sub-resource of node objects is restricted. Access to this sub-resource can grant privileges to use the Kubelet API directly, bypassing Kubernetes API controls like audit logging and admission control, potentially leading to privilege escalation.",
-  "Risk": "Unauthorized access to the proxy sub-resource of node objects can lead to significant security vulnerabilities, including privilege escalation.",
-  "RelatedUrl": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes",
+  "Severity": "critical",
+  "ResourceType": "ClusterRoleBinding",
+  "Description": "**RBAC permissions** to the `nodes/proxy` subresource are analyzed. Any user or group granted `get`, `list`, or `watch` via cluster-wide bindings is reported.",
+  "Risk": "Access to `nodes/proxy` exposes the **Kubelet API** through the apiserver proxy, which can bypass **audit** and **admission** controls. An adversary could execute commands in pods, read sensitive data, and pivot across nodes, impacting confidentiality and integrity; broad access also risks node-wide service disruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes",
+    "https://www.linkedin.com/pulse/kubernetes-docker-security-best-practices-mahesh-guruprasad",
+    "https://stackoverflow.com/questions/69200128/what-is-node-proxy-subresource-in-kubernetes"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "kubectl delete clusterrolebinding <example_resource_name>",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Identify the ClusterRoleBinding that grants the user/group access: in your RBAC list, locate the binding referencing a ClusterRole that includes resources: nodes/proxy with verbs get, list, or watch\n2. Edit the ClusterRole: run `kubectl edit clusterrole <example_resource_name>`\n3. In `rules`, remove any entry where `resources` includes `nodes/proxy` and `verbs` includes `get`, `list`, or `watch`; save and exit\n4. If you cannot modify the role (shared role), delete the specific ClusterRoleBinding that attaches it to the user/group: `kubectl delete clusterrolebinding <example_resource_name>`",
+      "Terraform": "```hcl\n# Remove nodes/proxy access by defining the ClusterRole without that permission\nresource \"kubernetes_cluster_role\" \"<example_resource_name>\" {\n  metadata {\n    name = \"<example_resource_name>\"\n  }\n  # Critical fix: no rule granting get/list/watch on \"nodes/proxy\" so subjects won't have that access\n}\n```"
     },
     "Recommendation": {
-      "Text": "Restrict access to the proxy sub-resource of node objects in the cluster.",
-      "Url": "https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes"
+      "Text": "Apply **least privilege**: avoid granting any verbs on `nodes/proxy` to users or groups. If access is unavoidable, limit it to trusted admins, scope narrowly, make it time-bound, and enforce **separation of duties**. Prefer namespace roles over cluster-wide bindings and review RBAC regularly as part of **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/rbac_minimize_node_proxy_subresource_access"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "identity-access",
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,30 +1,40 @@
 {
   "Provider": "kubernetes",
   "CheckID": "rbac_minimize_pod_creation_access",
-  "CheckTitle": "Minimize access to create pods",
+  "CheckTitle": "Kubernetes Role or ClusterRole does not grant create permission on pods",
   "CheckType": [],
   "ServiceName": "rbac",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Pod",
-  "Description": "This check ensures that the ability to create pods in a Kubernetes cluster is restricted to a minimal group of users. Limiting pod creation access mitigates the risk of privilege escalation and exposure of sensitive data.",
-  "Risk": "Unrestricted access to create pods can lead to potential security risks and privilege escalation within the cluster.",
-  "RelatedUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
+  "ResourceType": "ClusterRole",
+  "Description": "**Kubernetes RBAC** Roles and ClusterRoles that grant the `create` verb on `pods` are identified.\n\nRules are examined to find permissions allowing pod creation at namespace or cluster scope.",
+  "Risk": "Overly broad pod-creation rights allow adversaries to run **malicious pods**, mount service account tokens, or request privileged configs, enabling lateral movement. This endangers **confidentiality** (secrets), **integrity** (unauthorized changes), and **availability** (resource abuse, disruption).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://atmosly.com/blog/kubernetes-rbac-complete-authorization-guide-with-examples-2025",
+    "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
+    "https://kubegrade.com/kubernetes-access-control/",
+    "https://www.paloaltonetworks.com/cyberpedia/kubernetes-security",
+    "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole",
+    "https://www.ewere.tech/blog/rbac-in-kubernetes-role-based-approach-to-regulating-access-4304a6/",
+    "https://www.linkedin.com/pulse/day2460-rbac-service-accounts-master-kubernetes-least-chikkela-twnpe"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "",
+      "CLI": "kubectl patch clusterrole <CLUSTERROLE_NAME> -p '{\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"pods\"],\"verbs\":[\"get\",\"list\",\"watch\"]}]}'",
       "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. Identify the failing RBAC object (Role or ClusterRole) that allows pods create\n2. For a ClusterRole: run `kubectl edit clusterrole <CLUSTERROLE_NAME>`\n3. For a namespaced Role: run `kubectl edit role <ROLE_NAME> -n <NAMESPACE>`\n4. In `rules`, find entries with `resources: [\"pods\"]` and remove `create` from `verbs` (keep only read verbs like get/list/watch)\n5. Save and exit; verify with `kubectl get` that the change applied",
+      "Terraform": "```hcl\nresource \"kubernetes_cluster_role_v1\" \"<example_resource_name>\" {\n  metadata {\n    name = \"<example_resource_name>\"\n  }\n  rule {\n    api_groups = [\"\"]\n    resources  = [\"pods\"]\n    verbs      = [\"get\", \"list\", \"watch\"] # critical: omit \"create\" to prevent pod creation and pass the check\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Restrict pod creation access to minimize security risks.",
-      "Url": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole"
+      "Text": "Apply **least privilege**: limit `pods` `create` to narrowly scoped service accounts and namespaces. Use **separation of duties** and avoid wildcards. Enforce controls with **Pod Security Admission** and policy engines (OPA/Kyverno) to block risky specs. Review RBAC regularly and remove unused grants.",
+      "Url": "https://hub.prowler.com/check/rbac_minimize_pod_creation_access"
     }
   },
   "Categories": [
-    "trustboundaries"
+    "identity-access",
+    "cluster-security"
   ],
   "DependsOn": [],
   "RelatedTo": [],