kubernetes vulnerabilities kubernetes Principals with cluster-admin access to Kubernetes

Principals with cluster-admin access to Kubernetes

PLATFORM

SERVICE

kubernetes

DATA BREACHES

unknown

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

low

high

About

The cluster-admin ClusterRole provides unlimited access to the Kubernetes API, therefore users and service accounts should not be allocated this ClusterRole.

Understanding Impact

Business Impact

Excessive access to the Kubernetes API increases the risk of data loss or unauthorized modification of application configuration or data.

Technical Impact

The cluster-admin ClusterRole is a built-in role provided by Kubernetes. It provides wildcard access to the API, which is not in-line with the principal of least privilege.

Identify affected resources

To check whether users have been assigned, review the ClusterRoleBinding objects in the cluster for the cluster-admin ClusterRole
This can be done using a command like kubectl get clusterrolebindings -o json | jq '.items[] | select(.roleRef.name == "cluster-admin")'

Remediate vulnerable resources

Create custom roles for all user access with the lowest possible level of access required. One option for this is to use audit2rbac to create RBAC objects based on audit logs.

References

Kubernetes RBAC good practices

kubernetes documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all