Back to Policies

Restrict ClusterRole with Nodes Proxy in CEL expressions

A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-clusterrole-nodesproxy
  annotations:
    policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy in CEL expressions
    policies.kyverno.io/category: Sample in CEL
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: ClusterRole, RBAC
    kyverno.io/kyverno-version: 1.11.0
    policies.kyverno.io/minversion: 1.11.0
    kyverno.io/kubernetes-version: 1.26-1.27
    policies.kyverno.io/description: "A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource. "
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: clusterrole-nodesproxy
      match:
        any:
          - resources:
              kinds:
                - ClusterRole
              operations:
                - CREATE
                - UPDATE
      validate:
        cel:
          expressions:
            - expression: object.rules == null ||  !object.rules.exists(rule, has(rule.resources) && rule.resources.exists(resource, resource == 'nodes/proxy') &&  rule.apiGroups.exists(apiGroup, apiGroup == ''))
              message: A ClusterRole containing the nodes/proxy resource is not allowed.

Related Policies

ValidateMedium

Application Field Validation in CEL expressions

This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application