Minimize access to create pods (RBAC)
Risk Level: Low
Cloud Entity: Kubernetes Role Binding
CloudGuard Rule ID: D9.K8S.IAM.35
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
KubernetesRoleBinding should not have role.rules contain [ (verbs with ['create'] and (resources with ['pod'] or resources with ['%*%'])) or (verbs with ['%*%'] and (resources with ['pod'] or resources with ['%*%']))]REMEDIATION
Where possible, remove create access to pod objects in the cluster.
Kubernetes Role Binding
A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
Compliance Frameworks
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
- CIS Kubernetes Benchmark v1.20
- CIS Kubernetes Benchmark v1.23
- CIS Kubernetes Benchmark v1.24
- CIS Kubernetes Benchmark v1.5.1
- CIS Kubernetes Benchmark v1.6.1
- CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
- CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- CIS OpenShift Container Platform v4 Benchmark v1.4.0
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
- OpenShift Container Platform v3
Updated 7 months ago