Profile applicability: Level 1 - Master Node
The ability to create pods in a namespace can provide a number of opportunities for
privilege
escalation, such as assigning privileged service accounts to these pods or mounting
hostPaths
with access to sensitive data (unless Pod Security Policies are implemented to restrict
this
access).
As such, access to create new pods should be restricted to the smallest possible group
of
users.
The ability to create pods in a cluster opens up possibilities for privilege escalation
and
should be restricted, where possible.
 |
NoteBy default in a kubeadm cluster the following list of principals have
create
privileges on pod objects. |
Impact
Care should be taken not to remove access to pods to system components which require
this for
their operation.
Audit
Review the users who have create access to pod objects in the Kubernetes API.
Remediation
Where possible, remove
create access to pod objects in the
cluster.