All Policies

Restrict Cluster Role CSR

ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.

Policy Definition

/other/restrict-clusterrole-csr/restrict-clusterrole-csr.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-clusterrole-csr
 5  annotations:
 6    policies.kyverno.io/title: Restrict Cluster Role CSR
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: ClusterRole
10    kyverno.io/kyverno-version: 1.11.5
11    kyverno.io/kubernetes-version: "1.27"
12    policies.kyverno.io/description: >-
13      ClusterRoles that grant permissions to approve CertificateSigningRequests should be minimized to reduce powerful identities in the cluster. Approving CertificateSigningRequests allows one to issue new credentials for any user or group. As such, ClusterRoles that grant permissions to approve CertificateSigningRequests are granting cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster. For more information, refer to https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized.
14spec:
15  validationFailureAction: Audit
16  background: true
17  rules:
18  - name: certificatesigningrequests-update-prevention
19    match:
20      any:
21      - resources:
22          kinds:
23          - ClusterRole
24    validate:
25      message: "Use of verbs `update` and `patch` are forbidden for certificatesigningrequests/approval."
26      foreach:
27      - list: "request.object.rules[?resources.contains(@,'certificatesigningrequests/approval')]"
28        deny:
29          conditions:
30            any:
31            - key: ["update", "patch"]
32              operator: AnyIn
33              value: "{{ element.verbs[] }}"
34            - key: "{{ contains(element.verbs[], '*') }}"
35              operator: Equals
36              value: true
37  - name: signers-approve-prevention
38    match:
39      any:
40      - resources:
41          kinds:
42          - ClusterRole
43    validate:
44      message: "Use of verbs `approve` are forbidden for signers."
45      foreach:
46      - list: "request.object.rules[?resources.contains(@,'signers')]"
47        deny:
48          conditions:
49            any:
50            - key: ["approve"]
51              operator: AnyIn
52              value: "{{ element.verbs[] }}"
53            - key: "{{ contains(element.verbs[], '*') }}"
54              operator: Equals
55              value: true
Create policy issue