All Policies
Restrict ClusterRole with Nodes Proxy
A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource.
Policy Definition
/other/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-clusterrole-nodesproxy
5 annotations:
6 policies.kyverno.io/title: Restrict ClusterRole with Nodes Proxy
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: ClusterRole, RBAC
10 kyverno.io/kyverno-version: 1.11.4
11 policies.kyverno.io/minversion: 1.6.0
12 kyverno.io/kubernetes-version: "1.27"
13 policies.kyverno.io/description: >-
14 A ClusterRole with nodes/proxy resource access allows a user to
15 perform anything the kubelet API allows. It also allows users to bypass
16 the API server and talk directly to the kubelet potentially circumventing
17 audits and admission controllers. See https://blog.aquasec.com/privilege-escalation-kubernetes-rbac
18 for more info. This policy prevents the creation
19 of a ClusterRole if it contains the nodes/proxy resource.
20spec:
21 validationFailureAction: Audit
22 background: true
23 rules:
24 - name: clusterrole-nodesproxy
25 match:
26 any:
27 - resources:
28 kinds:
29 - ClusterRole
30 validate:
31 message: "A ClusterRole containing the nodes/proxy resource is not allowed."
32 deny:
33 conditions:
34 all:
35 - key: nodes/proxy
36 operator: AnyIn
37 value: "{{ request.object.rules[].resources[] }}"
38 - key: ""
39 operator: AnyIn
40 value: "{{ request.object.rules[].apiGroups[] }}"