search

cyberark / KubiScan

A tool to scan Kubernetes cluster for risky permissions
GNU General Public License v3.0
1.31k stars 130 forks source link

Add "nodes/proxy" as a risky permission #29

Closed christophetd closed 2 years ago

christophetd commented 2 years ago

Hello!

nodes/proxy permission allow an attacker to proxy Kubelet requests through any node, compromising the whole cluster. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac

It would be great to add it to the list of dangerous permissions!

g3rzi commented 2 years ago

Hi, thanks for the suggestion :) I added it like that: 

# Risk: Privilege Escalation from Node/Proxy
# Verb: get, create
# Resources: nodes/proxy

- kind: Role
  metadata:
    namespace: default
    name: risky-execute-command-node-proxy
    priority: HIGH
  rules:
  - apiGroups: ["*"]
    resources: ["nodes/proxy"]
    verbs: ["get", "create"]

If some rule have these two verbs get and create on nodes/proxy, it will assign it as risky.
I wonder maybe I should also add, as a low priority, risky rule with only get, maybe I will add it in the future.

christophetd commented 2 years ago

Great!!

christophetd commented 2 years ago

cc @raesene

raesene commented 2 years ago

Nice! Yeah get on nodes/proxy as a low risk would make sense to me. It does allow things like pulling pod lists via the Kubelet API bypassing auditing but it's not (AFAIK) too serious