Profiling (metric) is protected by RBAC (RBAC) (Openshift)
Ensure that the cluster-debugger cluster role includes the /metrics resource URL. This demonstrates that profiling is protected by RBAC, with a specific cluster role to allow access.
Risk Level: High
Cloud Entity: Kubernetes Role
CloudGuard Rule ID: D9.K8S.CRY.17
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
KubernetesRole where name='cluster-debugger' and namespace='*' should have rules contain-any [nonResourceURLs contain-any ['/metrics']]
REMEDIATION
None required as profiling data is protected by RBAC.
References
- https://github.com/openshift/kubernetes-kubelet/blob/master/config/v1beta1/types.go#L259-L277
- https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.5/bindata/v4.1.0/kube-apiserver/pod.yaml#L71-L84
- https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-apiserver-operator_red-hat-operators
- https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#openshift-apiserver-operator_red-hat-operators
- https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
- https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md
Kubernetes Role
An RBAC Role or ClusterRole contains rules that represent a set of permissions. Permissions are purely additive (there are no "deny" rules).
Compliance Frameworks
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- OpenShift Container Platform v3
Updated over 1 year ago