Add "nodes/proxy" as a risky permission

Question

Add "nodes/proxy" as a risky permission

christophetd opened this issue 2 years ago · comments

Christophe Tafani-Dereeper commented 2 years ago

Hello!

nodes/proxy permission allow an attacker to proxy Kubelet requests through any node, compromising the whole cluster. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac

It would be great to add it to the list of dangerous permissions!

Christophe Tafani-Dereeper commented 2 years ago

Great!!

Eviatar Gerzi · Answer 1 · Wed Mar 09 2022 18:47:33 GMT+0800 (China Standard Time)

Hi, thanks for the suggestion :)
I added it like that:

# Risk: Privilege Escalation from Node/Proxy
# Verb: get, create
# Resources: nodes/proxy

- kind: Role
  metadata:
    namespace: default
    name: risky-execute-command-node-proxy
    priority: HIGH
  rules:
  - apiGroups: ["*"]
    resources: ["nodes/proxy"]
    verbs: ["get", "create"]

If some rule have these two verbs get and create on nodes/proxy, it will assign it as risky.
I wonder maybe I should also add, as a low priority, risky rule with only get, maybe I will add it in the future.

Christophe Tafani-Dereeper · Answer 2 · Wed Mar 09 2022 22:37:54 GMT+0800 (China Standard Time)

cc @raesene

Rory McCune · Answer 3 · Thu Mar 10 2022 18:52:26 GMT+0800 (China Standard Time)

Nice! Yeah get on nodes/proxy as a low risk would make sense to me. It does allow things like pulling pod lists via the Kubelet API bypassing auditing but it's not (AFAIK) too serious