Risk Level: High
Cloud Entity: Kubernetes Role
CloudGuard Rule ID: D9.K8S.CRY.27
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesRole where name='cluster-debugger' and namespace='*' should have rules contain-any [nonResourceURLs contain-any ['/debug/pprof']]

REMEDIATION

None required; profiling is protected by RBAC.

References

https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#cluster-openshift-controller-manager-operator_red-hat-operators
https://docs.openshift.com/container-platform/4.5/operators/operator-reference.html#kube-controller-manager-operator_red-hat-operators
https://github.com/openshift/cluster-kube-controller-manager-operator/tree/master
https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml
https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/bootkube/manifests/00_openshift-kube-controller-manager-ns.yaml
https://github.com/openshift/cluster-kube-controller-manager-operator/blob/release-4.5/bindata/v4.1.0/kube-controller-manager/kubeconfig-cm.yaml
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-scalability/profiling.md

Kubernetes Role

An RBAC Role or ClusterRole contains rules that represent a set of permissions. Permissions are purely additive (there are no "deny" rules).

Compliance Frameworks

CIS OpenShift Container Platform v4 Benchmark v1.1.0
OpenShift Container Platform v3