Restrict ClusterRole Nodesproxy

Description

A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. Refer to the official Aquasec blog for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource.

Risks

Risks associated with a ClusterRole containing the nodes/proxy resource:

  • Privilege Escalation: A user with permissions on the nodes/proxy subresource in a cluster has full permissions against the kubelet API on any node by proxying requests through the API server, and can execute commands in any pod. This may represent privileges beyond those expected by the cluster administrator.

Refer to this issue for more information.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-clusterrole-nodesproxy.

Resource Example

Below are examples of two ClusterRole resources that do not have nodes/proxy resource.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: goodcr01
rules:
- apiGroups: [""]
  resources: ["pods", "namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: goodcr02
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]