Excessive CertificateSigningRequests approval permission

ID

rbac_approve_certificate_signing_requests

Severity

high

Vendor

Kubernetes

Resource

RBAC

Tags

reachable

Description

Kubernetes RBAC is a key security control to ensure that cluster users and workloads have only the access to resources required to execute their roles. It is important to ensure that, when designing permissions for cluster users, the cluster administrator understands the areas where privilege escalation could occur, to reduce the risk of excessive access leading to security incidents.

Approving CertificateSigningRequests allows issuing new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are virtually granting cluster admin privileges, which is excessive indeed.

Minimize ClusterRole permissions to limit the number of powerful credentials that could take over the entire cluster.

Learn more about this topic at Role Based Access Control Good Practices.

Examples

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: bad (1)
rules:
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests/approval"]
    verbs: ["update", "get"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["signers"]
    verbs: ["approve"]
  # Other permissions ...
1 Approving CertificateSigningRequests allows issuing new credentials for any user or group.

Mitigation / Fix

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: good
rules:
  # CertificateSigningRequests was removed (1)
  # Other permissions ...
1 Minimize ClusterRole permissions by removing CertificateSigningRequests approval permission.