Role grants permissions to system reserved namespace Affecting RoleBinding service in Kubernetes

Severity Framework Snyk CCSS

Rule category Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Kubernetes

Snyk ID SNYK-CC-00647
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

A role was found that grant permission over system reserved namespace (either default or kube-system). Those namespaces should be used only by cluster operators, and should be treated as sensitive.

How to fix?

Set the namespaceattribute in subjects to a value other than default or kube-system.

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: example-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: example-namespace

Role grants permissions to system reserved namespace Affecting RoleBinding service in Kubernetes

Description

How to fix?

Example Configuration

Kubernetes

Terraform

References