Allowing command execution (exec) for roles in a Kubernetes cluster can pose a significant security risk. This is because it provides the user with
the ability to execute arbitrary commands within a container, potentially leading to unauthorized access or data breaches.
In a production Kubernetes cluster, exec permissions are typically unnecessary due to the principle of least privilege, which suggests that a user
or process should only have the minimum permissions necessary to perform its function. Additionally, containers in production are often treated as
immutable infrastructure, meaning they should not be changed once deployed. Any changes should be made to the container image, which is then used to
deploy a new container.
Ask Yourself Whether
- This role is given to people who are not administrators of the Kubernetes cluster.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Disable exec privileges for this role. The exec permissions are set by allowing the create verb for the
pods/exec resource. Removing this permission will prevent users and services from executing arbitrary commands within containers.
Sensitive Code Example
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: example-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/exec"] # Sensitive
verbs: ["create"]
Compliant Solution
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: example-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
See
