Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster : iCompaas Support

Profile Applicability:

Level 1

Description:
Kubernetes provides Bind, Impersonate, and Escalate permissions in RBAC (Role-Based Access Control) to allow users to perform operations that can modify permissions, impersonate other users or service accounts, or escalate privileges. This check ensures that access to these sensitive permissions is restricted to trusted administrators and roles, minimizing the risk of privilege escalation and unauthorized access within the cluster.

Rationale:
The Bind, Impersonate, and Escalate permissions can be misused by attackers to escalate privileges or impersonate users, potentially compromising the entire Kubernetes cluster. Limiting the use of these permissions ensures that only trusted users have the ability to modify RBAC roles, impersonate users, or escalate privileges. By restricting access to these permissions, you improve the overall security and governance of your Kubernetes environment.

Impact:

Pros:

Enhances overall security by limiting the access to sensitive RBAC permissions.
Prevents unauthorized privilege escalation or impersonation within the cluster.
Helps enforce the principle of least privilege for administrative users.

Cons:

May require careful planning to ensure that legitimate administrative users or service accounts can still perform their necessary tasks.
Increased complexity in managing RBAC roles and permissions, especially in large clusters.

Default Value:
By default, Kubernetes does not restrict access to Bind, Impersonate, and Escalate permissions. They need to be manually configured and controlled through RBAC policies.

Pre-requisites:
Ensure that RBAC (Role-Based Access Control) is enabled and properly configured in the Kubernetes cluster. Ensure that RoleBindings and ClusterRoleBindings are reviewed to restrict the use of sensitive permissions.

Test Plan:

Using Azure Console:

Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
Review the Role-Based Access Control (RBAC) settings for your AKS cluster.
Ensure that users with administrative access do not have unnecessary permissions for Bind, Impersonate, or Escalate unless explicitly required.

Using Azure CLI:

List the ClusterRoleBindings to check for roles that grant the Bind, Impersonate, or Escalate permissions:

 kubectl get clusterrolebindings --all-namespaces -o=jsonpath='{.items[*].roleRef.name}'

Use the following command to check for roles that grant these sensitive permissions:

 kubectl get clusterroles -o=jsonpath='{.items[?(@.rules[?(@.verbs=="bind" || @.verbs=="impersonate" || @.verbs=="escalate")])].metadata.name}'

Review and verify that only trusted users have access to these permissions.

Implementation Plan:

Using Azure Console:

In the Azure portal, go to your AKS cluster and navigate to the Role-Based Access Control (RBAC) settings.
Review all ClusterRoles and ClusterRoleBindings to ensure that Bind, Impersonate, and Escalate permissions are granted only to trusted service accounts or users.

Restrict the permissions of sensitive roles by modifying the RBAC role definitions to limit the ability to bind, impersonate, or escalate. Example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: restricted-admin
rules:
- apiGroups: [""]
  resources: ["users"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "list"]

Apply the updated RBAC configurations to ensure that only authorized users can perform actions that involve Bind, Impersonate, or Escalate.

Using Azure CLI:

Review existing RBAC roles to check for Bind, Impersonate, and Escalate permissions:

kubectl get clusterroles -o=jsonpath='{.items[?(@.rules[?(@.verbs=="bind" || @.verbs=="impersonate" || @.verbs=="escalate")])].metadata.name}'

Create a custom ClusterRole that minimizes the use of these sensitive permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: minimal-admin
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list"]

Apply the ClusterRole using the command:

 kubectl apply -f minimal-admin-role.yaml

Bind the ClusterRole to a trusted user or service account with a ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: minimal-admin-binding
subjects:
  - kind: User
    name: <user-name>  # Or "ServiceAccount"
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: minimal-admin
  apiGroup: rbac.authorization.k8s.io

Apply the ClusterRoleBinding:

 kubectl apply -f minimal-admin-binding.yaml

Backout Plan:

Using Azure Console:

If restricting Bind, Impersonate, or Escalate permissions causes issues, revert the changes in the Azure portal by allowing specific users or service accounts access to these permissions.

Using Azure CLI:

Revert the RBAC role or ClusterRoleBinding configuration by modifying the YAML files to restore the Bind, Impersonate, or Escalate permissions.
Apply the reverted configuration:

 kubectl apply -f clusterrole.yaml
 kubectl apply -f clusterrolebinding.yaml

References:

Kubernetes RBAC Documentation
Azure Kubernetes Service (AKS) Role-Based Access Control
Kubernetes Admission Controllers Documentation

Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster Print

Test Plan:

Implementation Plan:

References:

Related Articles