Profile Applicability:
Level 1
Description:
The ability to create Pods in Kubernetes should be restricted to only those users and service accounts who absolutely need it. This check ensures that access to create Pods is granted only to the necessary roles or service accounts, minimizing the potential for unauthorized or accidental Pod creation.
Rationale:
Limiting access to create Pods reduces the risk of unauthorized workloads being introduced to the cluster. It also ensures that only authorized personnel or automated processes can deploy workloads, maintaining control over the cluster’s resources and reducing the attack surface.
Impact:
Pros:
Reduces the risk of unauthorized or accidental Pod creation.
Improves security by ensuring that only trusted users or service accounts can deploy workloads.
Cons:
Requires careful role management to ensure legitimate use cases for Pod creation are not disrupted.
May increase administrative overhead to manage who has access to create Pods.
Default Value:
By default, users with sufficient permissions (e.g., admin or cluster-admin roles) can create Pods. This access should be restricted based on the principle of least privilege.
Pre-requisites:
Ensure that Role-Based Access Control (RBAC) is configured properly and that only trusted users and service accounts have access to create Pods.
Remediation
Test Plan:
Using Azure Console:
Access the Kubernetes RBAC settings and review role bindings for users or service accounts with permissions to create Pods.
Ensure that only necessary roles or service accounts have the ability to create Pods.
Using Azure CLI:
Use the following command to review who has access to create Pods:
kubectl get rolebindings --all-namespaces -o yaml
Check the roles or ClusterRoles assigned to users and service accounts to ensure that only the necessary ones have permission to create Pods.
Implementation Plan:
Using Azure Console:
Review the Kubernetes RBAC settings to ensure only the necessary roles have create permissions for Pods.
Modify role bindings to restrict access to Pod creation by removing unnecessary permissions.
Using Azure CLI:
Update the role or ClusterRole definitions to remove the ability to create Pods for unnecessary users or service accounts. For example, use the following command to edit the rolebinding:
kubectl edit rolebinding <rolebinding-name> --namespace=<namespace>
Ensure that only specific roles (e.g., administrators) have permission to create Pods.
Backout Plan:
Using AWS Console:
If restricting access to create Pods causes operational issues, revert the configuration by restoring the role bindings or roles to their original state.
Using Azure CLI:
Revert any changes to role bindings or ClusterRoles by running the following command to re-add access:
kubectl create rolebinding <binding-name> --role=<role-name> --user=<user-name> --namespace=<namespace>