|
| 1 | +--- |
| 2 | +reviewers: |
| 3 | +title: Role Based Access Control Good Practices |
| 4 | +description: > |
| 5 | + Principles and practices for good RBAC design for cluster operators. |
| 6 | +content_type: concept |
| 7 | +--- |
| 8 | + |
| 9 | +<!-- overview --> |
| 10 | + |
| 11 | +Kubernetes {{< glossary_tooltip text="RBAC" term_id="rbac" >}} is a key security control |
| 12 | +to ensure that cluster users and workloads have only the access to resources required to |
| 13 | +execute their roles. It is important to ensure that, when designing permissions for cluster |
| 14 | +users, the cluster administrator understands the areas where privilge escalation could occur, |
| 15 | +to reduce the risk of excessive access leading to security incidents. |
| 16 | + |
| 17 | +The good practices laid out here should be read in conjunction with the general [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update). |
| 18 | + |
| 19 | +<!-- body --> |
| 20 | + |
| 21 | +## General good practice |
| 22 | + |
| 23 | +### Least privilege |
| 24 | + |
| 25 | +Ideally minimal RBAC rights should be assigned to users and service accounts. Only permissions |
| 26 | +explicitly required for their operation should be used. Whilst each cluster will be different, |
| 27 | +some general rules that can be applied are : |
| 28 | + |
| 29 | + - Assign permissions at the namespace level where possible. Use RoleBindings as opposed to |
| 30 | + ClusterRoleBindings to give users rights only within a specific namespace. |
| 31 | + - Avoid providing wildcard permissions when possible, especially to all resources. |
| 32 | + As Kubernetes is an extensible system, providing wildcard access gives rights |
| 33 | + not just to all object types presently in the cluster, but also to all future object types |
| 34 | + which are created in the future. |
| 35 | + - Administrators should not use `cluster-admin` accounts except where specifically needed. |
| 36 | + Providing a low privileged account with [impersonation rights](/docs/reference/access-authn-authz/authentication/#user-impersonation) |
| 37 | + can avoid accidental modification of cluster resources. |
| 38 | + - Avoid adding users to the `system:masters` group. Any user who is a member of this group |
| 39 | + bypasses all RBAC rights checks and will always have unrestricted superuser access, which cannot be |
| 40 | + revoked by removing Role Bindings or Cluster Role Bindings. As an aside, if a cluster is |
| 41 | + using an authorization webhook, membership of this group also bypasses that webhook (requests |
| 42 | + from users who are members of that group are never sent to the webhook) |
| 43 | + |
| 44 | +### Minimize distribution of privileged tokens |
| 45 | + |
| 46 | +Ideally, pods shouldn't be assigned service accounts granted powerful permissions (listed [here](#Kubernetes-RBAC---Privilege-Escalation-Risks)). |
| 47 | +In cases where a workload requires powerful permissions, consider the following practices: |
| 48 | + |
| 49 | + - Limit the number of nodes running powerful pods. Ensure that any DaemonSets you run |
| 50 | + are necessary and are run with least privilege to limit the blast radius of container escapes. |
| 51 | + - Avoid running powerful pods alongside untrusted or publicly-exposed ones. Consider using |
| 52 | + [Taints and Toleration](/docs/concepts/scheduling-eviction/taint-and-toleration/), [NodeAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity), or [PodAntiAffinity](/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) to ensure |
| 53 | + pods don't run alongside untrusted or less-trusted Pods. Pay especial attention to |
| 54 | + situations where less-trustworthy Pods are not meeting the **Restricted** Pod Security Standard. |
| 55 | + |
| 56 | +### Hardening |
| 57 | + |
| 58 | +Kubernetes defaults to providing access which may not be required in every cluster. Reviewing |
| 59 | +the RBAC rights provided by default can provide opportunities for security hardening. |
| 60 | +In general, changes should not be made to rights provided to `system:` accounts some options |
| 61 | +to harden cluster rights exist: |
| 62 | + |
| 63 | +- Review bindings for the `system:unauthenticated` group and remove where possible, as this gives |
| 64 | + access to anyone who can contact the API server at a network level. |
| 65 | +- Avoid the default auto-mounting of service account tokens by setting |
| 66 | + `automountServiceAccountToken: false`. For more details, see |
| 67 | + [using default service account token](/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server). |
| 68 | + Setting this value for a Pod will overwrite the service account setting, workloads |
| 69 | + which require service account tokens can still mount them. |
| 70 | + |
| 71 | +### Periodic review |
| 72 | + |
| 73 | +It is vital to periodically review the Kubernetes RBAC settings for redundant entries and |
| 74 | +possible privilege escalations. |
| 75 | +If an attacker is able to create a user account with the same name as a deleted user, |
| 76 | +they can automatically inherit all the rights of the deleted user, especially the |
| 77 | +rights assigned to that user. |
| 78 | + |
| 79 | +## Kubernetes RBAC - privilege escalation risks {#privilege-escalation-risks} |
| 80 | + |
| 81 | +Within Kubernetes RBAC there are a number of privileges which, if granted, can allow a user or a service account |
| 82 | +to escalate their privileges in the cluster or affect systems outside the cluster. |
| 83 | + |
| 84 | +This section is intended to provide visibility of the areas where cluster operators |
| 85 | +should take care, to ensure that they do not inadvertantly allow for more access to clusters than intended. |
| 86 | + |
| 87 | +### Listing secrets |
| 88 | + |
| 89 | +It is generally clear that allowing `get` access on Secrets will allow a user to read their contents. |
| 90 | +It is also important to note that `list` and `watch` access also effectively allow for users to reveal the Secret contents. |
| 91 | +For example, when a List response is returned (for example, via `kubectl get secrets -A -o yaml`), the response |
| 92 | +includes the contents of all Secrets. |
| 93 | + |
| 94 | +### Workload creation |
| 95 | + |
| 96 | +Users who are able to create workloads (either Pods, or |
| 97 | +[workload resources](/docs/concepts/workloads/controllers/) that manage Pods) will |
| 98 | +be able to gain access to the underlying node unless restrictions based on the Kubernetes |
| 99 | +[Pod Security Standards](/docs/concepts/security/pod-security-standards/) are in place. |
| 100 | + |
| 101 | +Users who can run privileged Pods can use that access to gain node access and potentially to |
| 102 | +further elevate their privileges. Where you do not fully trust a user or other principal |
| 103 | +with the ability to create suitably secure and isolated Pods, you should enforce either the |
| 104 | +**Baseline** or **Restricted** Pod Security Standard. |
| 105 | +You can use [Pod Security admission](/docs/concepts/security/pod-security-admission/) |
| 106 | +or other (third party) mechanisms to implement that enforcement. |
| 107 | + |
| 108 | +You can also use the deprecated [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/) mechanism |
| 109 | +to restrict users' abilities to create privileged Pods (N.B. PodSecurityPolicy is scheduled for removal |
| 110 | +in version 1.25). |
| 111 | + |
| 112 | +Creating a workload in a namespace also grants indirect access to Secrets in that namespace. |
| 113 | +Creating a pod in kube-system or a similarly privileged namespace can grant a user access to |
| 114 | +Secrets they would not have through RBAC directly. |
| 115 | + |
| 116 | +### Persistent volume creation |
| 117 | + |
| 118 | +As noted in the [PodSecurityPolicy](/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems) documentation, access to create PersistentVolumes can allow for escalation of access to the underlying host. Where access to persistent storage is required trusted administrators should create |
| 119 | +PersistentVolumes, and constrained users should use PersistentVolumeClaims to access that storage. |
| 120 | + |
| 121 | +### Access to `proxy` subresource of Nodes |
| 122 | + |
| 123 | +Users with access to the proxy sub-resource of node objects have rights to the Kubelet API, |
| 124 | +which allows for command execution on every pod on the node(s) which they have rights to. |
| 125 | +This access bypasses audit logging and admission control, so care should be taken before |
| 126 | +granting rights to this resource. |
| 127 | + |
| 128 | +### Escalate verb |
| 129 | + |
| 130 | +Generally the RBAC system prevents users from creating clusterroles with more rights than |
| 131 | +they possess. The exception to this is the `escalate` verb. As noted in the [RBAC documentation](/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update), |
| 132 | +users with this right can effectively escalate their privileges. |
| 133 | + |
| 134 | +### Bind verb |
| 135 | + |
| 136 | +Similar to the `escalate` verb, granting users this right allows for bypass of Kubernetes |
| 137 | +in-built protections against privilege escalation, allowing users to create bindings to |
| 138 | +roles with rights they do not already have. |
| 139 | + |
| 140 | +### Impersonate verb |
| 141 | + |
| 142 | +This verb allows users to impersonate and gain the rights of other users in the cluster. |
| 143 | +Care should be taken when granting it, to ensure that excessive permissions cannot be gained |
| 144 | +via one of the impersonated accounts. |
| 145 | + |
| 146 | +### CSRs and certificate issuing |
| 147 | + |
| 148 | +The CSR API allows for users with `create` rights to CSRs and `update` rights on `certificatesigningrequests/approval` |
| 149 | +where the signer is `kubernetes.io/kube-apiserver-client` to create new client certificates |
| 150 | +which allow users to authenticate to the cluster. Those client certificates can have arbitrary |
| 151 | +names including duplicates of Kubernetes system components. This will effectively allow for privilege escalation. |
| 152 | + |
| 153 | +### Token request |
| 154 | + |
| 155 | +Users with `create` rights on `serviceaccounts/token` can create TokenRequests to issue |
| 156 | +tokens for existing service accounts. |
| 157 | + |
| 158 | +### Control admission webhooks |
| 159 | + |
| 160 | +Users with control over `validatingwebhookconfigurations` or `mutatingwebhookconfigurations` |
| 161 | +can control webhooks that can read any object admitted to the cluster, and in the case of |
| 162 | +mutating webhooks, also mutate admitted objects. |
| 163 | + |
| 164 | + |
| 165 | +## Kubernetes RBAC - denial of service risks {#denial-of-service-risks} |
| 166 | + |
| 167 | +### Object creation denial-of-service {#object-creation-dos} |
| 168 | +Users who have rights to create objects in a cluster may be able to create sufficient large |
| 169 | +objects to create a denial of service condition either based on the size or number of objects, as discussed in |
| 170 | +[etcd used by Kubernetes is vulnerable to OOM attack](https://github.com/kubernetes/kubernetes/issues/107325). This may be |
| 171 | +specifically relevant in multi-tenant clusters if semi-trusted or untrusted users |
| 172 | +are allowed limited access to a system. |
| 173 | + |
| 174 | +One option for mitigation of this issue would be to use [resource quotas](/docs/concepts/policy/resource-quotas/#object-count-quota) |
| 175 | +to limit the quantity of objects which can be created. |
0 commit comments