Profile Applicability:

  • Level 1

Description:
 The CertificateSigningRequest (CSR) object in Kubernetes allows users to request certificates for workloads. The approval sub-resource of a CSR is used to approve or reject the certificate request. This check ensures that access to the approval sub-resource of CertificateSigningRequests (CSRs) is minimized and restricted to only trusted users or service accounts to prevent unauthorized approval of certificate requests.

Rationale:
 Allowing unrestricted access to approve certificate signing requests can lead to security risks, as malicious or unauthorized users could approve certificates, potentially compromising sensitive communications and authentication within the cluster. By minimizing access to the approval sub-resource, you ensure that only authorized users can approve CSRs and issue certificates.

Impact:

Pros:

  • Restricts certificate issuance to authorized administrators only.

  • Reduces the risk of unauthorized or malicious users being able to issue certificates.

Cons:

  • Requires careful configuration to ensure legitimate users or service accounts can still approve CSRs when needed.

  • Increases administrative overhead to ensure RBAC policies are properly configured.

Default Value:
 By default, any user with sufficient permissions to access CertificateSigningRequests can approve or reject the requests. Kubernetes does not restrict access to the approval sub-resource unless configured through RBAC.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) is enabled and configured to restrict access to CSR approvals. Also, ensure that the appropriate service accounts and roles are granted the necessary permissions.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Access Control (IAM) settings to ensure that only trusted users or service accounts have the necessary permissions to approve CSR requests.

  3. Verify that RBAC policies are properly configured to limit access to the approval sub-resource of CertificateSigningRequest objects.

Using Azure CLI:

  1. Check if any users or service accounts have permissions to approve CSR requests by listing all RoleBindings:

    kubectl get rolebindings --all-namespaces -o=jsonpath='{.items[*].subjects[*].name}'
  2. Use the following command to check access to the CSR approval sub-resource:

     kubectl get certificatesigningrequests <csr-name> -o=jsonpath='{.status.conditions[*].type}'

    Ensure that only authorized users are listed with permissions to approve the CSR request.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, navigate to the Kubernetes Services and select your AKS cluster.

  2. Under Access Control (IAM), configure Role-Based Access Control (RBAC) to restrict access to the approval sub-resource of CertificateSigningRequests.

Create custom RBAC roles that grant the ability to approve or reject CSRs only to trusted administrators or service accounts. Example role definition:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: csr-approver
  namespace: <namespace-name>
rules:
- apiGroups: [""]
  resources: ["certificatesigningrequests/approval"]
  verbs: ["approve", "deny"]

Bind this role to the appropriate user(s) or service account(s) using a RoleBinding to ensure that only authorized users can approve certificate requests:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: csr-approver-binding
  namespace: <namespace-name>
subjects:
- kind: User
  name: <user-name>  # or "ServiceAccount"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: csr-approver
  apiGroup: rbac.authorization.k8s.io
  1. Apply these roles and bindings to ensure that only authorized users can approve CSRs.

Using Azure CLI:

Create a custom RBAC role to restrict access to the approval sub-resource of CertificateSigningRequests:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: csr-approver
  namespace: <namespace-name>
rules:
- apiGroups: [""]
  resources: ["certificatesigningrequests/approval"]
  verbs: ["approve", "deny"]

Apply the role using:

 kubectl apply -f csr-approver-role.yaml

Create a RoleBinding to bind the csr-approver role to specific users or service accounts:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: csr-approver-binding
  namespace: <namespace-name>
subjects:
- kind: User
  name: <user-name>  # or "ServiceAccount"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: csr-approver
  apiGroup: rbac.authorization.k8s.io

Apply the RoleBinding:

kubectl apply -f csr-approver-rolebinding.yaml

Backout Plan:

Using Azure Console:

  1. If restricting access to the approval sub-resource of CertificateSigningRequests causes issues, revert the RBAC configuration in the Azure portal by modifying or removing the RoleBinding or Role.

Using Azure CLI:

To revert the changes, delete the RoleBinding and Role:

kubectl delete rolebinding csr-approver-binding --namespace=<namespace-name>
kubectl delete role csr-approver --namespace=<namespace-name>

References:

  1. Kubernetes Admission Controllers Documentation

  2. Azure Kubernetes Service (AKS) Best Practices