RoleBinding or ClusterRoleBinding is using a pre-defined role Affecting RoleBinding service in Kubernetes

Severity Framework Snyk CCSS

Rule category IAM / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls

Snyk ID SNYK-CC-00645
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

A RoleBinding or ClusterRoleBinding was found using one of the default user facing roles, cluster-admin, admin, edit, or view. Pre-defined user facing roles may be overly permissive.

How to fix?

Set the roleRef.name attribute in RoleBinding and ClusterRoleBinding to a custom role instead of a default role.

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: ns
subjects:
  - kind: ServiceAccount
    name: some-sa
    namespace: ns
roleRef:
  kind: Role
  name: reader-role
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-pods
subjects:
  - kind: User
    name: some-user
roleRef:
  kind: ClusterRole
  name: some-role
  apiGroup: rbac.authorization.k8s.io

Kubernetes

Using RBAC Authorization

RoleBinding or ClusterRoleBinding is using a pre-defined role Affecting RoleBinding service in Kubernetes

Description

How to fix?

Example Configuration

Kubernetes

Terraform