Risk Level: High
Cloud Entity: Kubernetes Role
CloudGuard Rule ID: D9.K8S.CRY.33
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesRole where name='cluster-debugger' and namespace='*' should have rules contain-any [nonResourceURLs contain ['/debug/pprof']]

REMEDIATION

None required. Profiling is protected by RBAC and cannot be disabled.

References

Kubernetes Role

An RBAC Role or ClusterRole contains rules that represent a set of permissions. Permissions are purely additive (there are no "deny" rules).

Compliance Frameworks

CIS OpenShift Container Platform v4 Benchmark v1.1.0
OpenShift Container Platform v3