Adhere to least-privilege principle
Info
ID: MS-M9003
MITRE mitigation: M1018
Configure the Kubernetes role-based access controls (RBAC) for each user and service accounts to have only necessary permissions. This applies also to other, external, authorization providers such as Azure RBAC in AKS.
In managed cluster, Kubernetes credentials are often retrieved or generated by the cloud provider via API call. To reduce the attack surface, grant permissions to the cloud provider API only to necessary accounts. In the case of Azure, make sure that only required identities have permissions to call: /subscriptions/resourceGroups/providers/Microsoft.ContainerService/managedClusters/listClusterUserCredential
Kubeconfig file can contain credentials of accounts that allow interaction with a cluster. By applying least privileges principle to all accounts, can limit the impact of an account compromised through Kubeconfig file.
Kubernetes project also lists the following recommendations for permissions and role assignment best practices:
- Avoid wildcard permissions, especially to all resources.
- Use RoleBinding instead of ClusterAdminBinding to give access within a namespace.
- Avoid adding users to the system:master group as it bypasses RBAC.
- Use impersonation rights for admins instead of adding to the cluster admin role. Audit and monitor when impersonation is being done.
- Avoid granting the escalate or bind permissions to roles when not needed, audit and monitor when escalation is being made.
- Avoid adding users to the system:unauthenticated group.
- Limit permissions to issue CSR and certificate.
- Avoid granting users with
createrights onserviceaccounts/token, which could be exploited to create TokenRequests and issue tokens for existing service accounts. - Users with control over
validatingwebhookconfigurationsormutatingwebhookconfigurationscan control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9001 | Using cloud credentials | Limit RBAC privileges in the cloud account to retrieve access credentials to managed Kubenetes clusters. |
| MS-TA9003 | Kubeconfig file | Limit privileges and actions that can be achieved by getting access to a kubeconfig file |
| MS-TA9008 | New container | Prevent unnecessary users and service accounts from creating new pods and controllers. |
| MS-TA9011 | Sidecar injection | Prevent unnecessary users and service accounts from creating new pods and controllers. |
| MS-TA9012 | Backdoor container | Prevent unnecessary users and service accounts from creating new pods and controllers. |
| MS-TA9014 | Kubernetes CronJob | Prevent unnecessary users and service accounts from creating new cronjobs. |
| MS-TA9015 | Malicious admission controller | Restrict permissions to deploy or modify MutatingAdmissionWebhook and ValidatingAdmissionWebhook objects. |
| MS-TA9019 | Cluster-admin binding | Review privileged role binding and RBAC settings, restrict permissions to configure rolebinding and clusterrolebinding. |
| MS-TA9020 | Access cloud resources | Grant only necessary permission to the cloud identities. |
| MS-TA9022 | Delete Kubernetes events | Restrict permissions to delete Kubernetes events. |
| MS-TA9025 | List Kubernetes secrets | Limit users and service accounts access to Kubernetes secrets. |
| MS-TA9026 | Mount service principal | Grant minimal required permissions to service principals |
| MS-TA9016 | Container Service Account | Configure the Kubernetes RBAC such that each service account will have the minimal necessary permissions for the application’s functionality. |
| MS-TA9029 | Access Kubernetes API Server | Configure the Kubernetes RBAC such as each service account has only the minimal necessary permissions for the application’s functionality. |
| MS-TA9030 | Access Kubelet API | Kubelet uses Kubernetes RBAC to authorize requests to its API, when Webhook is used as authorization mode. In this mode, Kubelet sends a SubjectAccessReview to the API server to check if the identity is authorized to perform the required action. Configure the Kubernetes RBAC such as only service accounts that should legitimacy communicate with Kubelet API have the relevant permissions. |
| MS-TA9035 | CoreDNS poisoning | Limit updates permissions to the CoreDNS ConfigMap object. |
| MS-TA9037 | Images from a private registry | In some configurations, the credentials to private registries are stored as Kubernetes secret. Adhere to least-privilege principle to prevent users from reading image pull secrets. |
| MS-TA9041 | Collecting data from pod | Adhere to least-privilege principle to prevent users from checkpoint or running kubectl cp commands. kubectl cp wraps exec command which runs a tar process. Preventing exec into a container would effectively restrict kubectl cp command. |
| MS-TA9006 | Exec into container | Adhere to least-privilege principle to prevent users from exec into containers |