Profile Applicability:

  • Level 1

Description:
 Webhook configuration objects in Kubernetes, such as MutatingAdmissionWebhook and ValidatingAdmissionWebhook, are used to intercept and modify requests before they are persisted to the cluster. This check ensures that access to these webhook configuration objects is restricted to trusted users and service accounts to prevent unauthorized modifications to admission control policies.

Rationale:
 Webhooks are powerful mechanisms for modifying the behavior of Kubernetes API requests, such as validating or mutating resource definitions before they are accepted by the cluster. If an attacker gains access to modify webhook configurations, they could modify or bypass security policies, leading to potential security breaches. Restricting access to webhook configuration objects helps mitigate this risk.

Impact:

Pros:

  • Enhances security by preventing unauthorized changes to admission control policies.

  • Protects critical webhook configurations that enforce security and validation rules across the cluster.

Cons:

  • May require additional access control configurations to ensure legitimate users and services can access webhook configurations.

  • Increases the complexity of managing and auditing access control policies for webhooks.

Default Value:
 By default, Kubernetes does not restrict access to webhook configurations, so these objects are typically accessible by users with appropriate permissions in the cluster.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) is configured in the cluster and that access to admission control resources is restricted via appropriate roles and policies.

Test Plan:

Using Azure Console:

  1. Navigate to  the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Access Control (IAM) and Roles assigned to users and service accounts for webhook configuration objects.

  3. Ensure that only trusted and authorized users or service accounts have the "get" and "list" permissions for webhook configuration objects

Using Azure CLI:

  1. List all MutatingAdmissionWebhook and ValidatingAdmissionWebhook objects in the cluster:

     kubectl get mutatingadmissionwebhookconfiguration
 kubectl get validatingadmissionwebhookconfiguration

    Ensure that RBAC policies are in place to restrict access to these webhook configuration objects.

  2. Verify the RBAC permissions for webhook configuration objects:

     kubectl get rolebindings --all-namespaces

    Check if any unauthorized users have permissions for these resources.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, go to the AKS cluster and access Access Control (IAM) for managing permissions.

  2. Create or modify RBAC roles to restrict access to webhook configuration objects. For example:

    • Ensure that only specific administrators or service accounts have access to MutatingAdmissionWebhook and ValidatingAdmissionWebhook resources.

    • You can use Azure’s role-based access control (RBAC) to restrict permissions like get or list for these resources.

  3. Assign the appropriate roles to trusted users or service accounts and ensure that others do not have access to webhook configurations.

Using Azure CLI:

Create an RBAC role that only allows trusted users or service accounts to access webhook configuration objects. For example:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: <namespace-name>
  name: webhook-access-role
rules:
  - apiGroups: [""]
    resources: ["mutatingadmissionwebhookconfigurations", "validatingadmissionwebhookconfigurations"]
    verbs: ["get", "list"]

Apply the RBAC role to control access:

 kubectl apply -f role.yaml

Bind the RBAC role to the appropriate users or service accounts:

kubectl create rolebinding <rolebinding-name> \
  --role=webhook-access-role \
  --user=<user-or-service-account> \
  --namespace=<namespace-name>

Verify that only authorized users can access webhook configuration objects:

kubectl get rolebindings --namespace=<namespace-name>

Backout Plan:

Using Azure Console:

  1. If restricting access to webhook configuration objects causes issues with legitimate operations, revert the changes in the Azure portal by modifying the RBAC roles or removing the role bindings.

Using Azure CLI:

  1. Revert any RBAC role changes by deleting the role binding or modifying the roles to re-enable access:

     kubectl delete rolebinding <rolebinding-name> --namespace=<namespace-name>

    Ensure that unauthorized users no longer have access to the webhook configurations by updating the RBAC roles accordingly.

References:

  1. Kubernetes Admission Webhooks Documentation

  2. Azure Kubernetes Service (AKS) Role-Based Access Control (RBAC)

  3. Kubernetes RBAC Documentation