Profile Applicability:

  • Level 1

Description:
 This check ensures that the ability to create pods is restricted to only trusted users and service accounts. By default, Kubernetes allows any user with sufficient permissions to create pods. Restricting pod creation helps enforce security policies and prevents unauthorized users from launching containers in the cluster.

Rationale:
 Allowing unrestricted access to create pods can lead to unintentional or malicious workloads being run in the cluster, potentially consuming resources or compromising the security of the environment. By limiting the ability to create pods, you can ensure that only trusted users or service accounts are able to deploy workloads, which helps mitigate risks like unauthorized access or over-consumption of cluster resources.

Impact:

  • Pros:

    • Reduces the risk of unauthorized or malicious pod deployments.

    • Enhances control over workloads running in the cluster.

    • Helps enforce the principle of least privilege and cluster resource management.

  • Cons:

    • Some workflows or teams may require the ability to create pods, and limiting this could impact their operations.

    • Requires careful configuration to ensure that legitimate users can still create pods when needed.

Default Value:
 By default, Kubernetes does not restrict pod creation, and any user with appropriate permissions (such as admin or edit) can create pods.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) is properly configured to manage pod creation permissions. You may also need to configure PodSecurityPolicies or Admission Controllers to enforce these restrictions.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Role-Based Access Control (RBAC) settings to ensure that only trusted users or service accounts have the permission to create pods.

  3. Verify that appropriate RBAC roles are assigned to control the creation of pods within different namespaces.

Using Azure CLI:

1. Use the following command to check the RoleBindings for pod creation permissions:

 kubectl get rolebindings --all-namespaces -o=jsonpath='{.items[*].subjects[*].name}'


2. Check if Pod creation permissions (e.g., create verb on pods) are assigned to users or service accounts who do not need access:

kubectl get roles --all-namespaces -o=jsonpath='{.items[*].rules[?(@.resources=="pods")].verbs}'

3. Ensure that only trusted administrators and service accounts are listed as having the "create" permission for pods.

Implementation Plan:

Using Azure Console:

1. In the Azure portal, go to Azure Kubernetes Service (AKS) and navigate to the Role-Based Access Control (RBAC) settings.

2. Apply the Role to the appropriate users or service accounts. You can use a RoleBinding to bind the pod-creator role to specific users:

3. Apply the RoleBinding to ensure that only trusted users can create pods.

Using Azure CLI:

1. To restrict pod creation, create a custom RBAC role with limited permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-creator
  namespace: <namespace-name>
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create"]

2. Apply the Role using the following command:

kubectl apply -f pod-creator-role.yaml


3. Bind the Role to specific users or service accounts by creating a RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-creator-binding
  namespace: <namespace-name>
subjects:
- kind: User
  name: <user-name>  # Or "ServiceAccount"
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-creator
  apiGroup: rbac.authorization.k8s.io

4. Apply the RoleBinding:

 kubectl apply -f pod-creator-binding.yaml


Backout Plan:

Using Azure Console:

  1. If restricting pod creation causes issues with legitimate workloads, revert the changes by re-enabling pod creation for specific users or service accounts in the Azure portal.

Using Azure CLI:

1. To revert the RBAC settings, delete the Role and RoleBinding:
kubectl delete role pod-creator --namespace=<namespace-name>

kubectl delete rolebinding pod-creator-binding --namespace=<namespace-name>

References:

  1. Kubernetes RBAC Documentation

  2. Azure Kubernetes Service (AKS) RBAC

  3. Kubernetes Pod Documentation