RoleBinding or ClusterRoleBinding is using a pre-defined role Affecting RoleBinding service in Kubernetes
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00645
- creditSnyk Research Team
Description
A RoleBinding or ClusterRoleBinding was found using one of the default user facing roles, cluster-admin, admin, edit, or view. Pre-defined user facing roles may be overly permissive.
How to fix?
Set the roleRef.name attribute in RoleBinding and ClusterRoleBinding to a custom role instead of a default role.
Example Configuration
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: ns
subjects:
- kind: ServiceAccount
name: some-sa
namespace: ns
roleRef:
kind: Role
name: reader-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-pods
subjects:
- kind: User
name: some-user
roleRef:
kind: ClusterRole
name: some-role
apiGroup: rbac.authorization.k8s.io
icSet the role_ref.name attribute in kubernetes_role_binding and kubernetes_cluster_role_binding to a custom role instead of a default role.
Example Configuration
resource "kubernetes_cluster_role_binding" "allowed1" {
metadata {
name = "read-pods-crb"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "some-role"
}
subject {
kind = "User"
name = "some-user"
}
}