Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKV2_K8S_{1-5} do not check apiGroups of ClusterRoleBindings #6765

Open
m-wynn opened this issue Oct 11, 2024 · 2 comments
Open

CKV2_K8S_{1-5} do not check apiGroups of ClusterRoleBindings #6765

m-wynn opened this issue Oct 11, 2024 · 2 comments
Labels
checks Check additions or changes

Comments

@m-wynn
Copy link
Contributor

m-wynn commented Oct 11, 2024

Describe the issue
CKV2_K8S_1-5 check if ClusterRoleBindings have access to read all secrets, impersonate permissions, set nodes/proxy or pods/exec by checking for wildcards, etc. However, they don't check apiGroups. If you want to give your ServiceAccount . within your API group, that should only trigger CKV_K8S_49 (minimize wildcard use in Roles and ClusterRoles), not these specific rules.

I believe this started on a fairly recent version of Checkov. I saw it on 3.2.257, but I don't remember seeing it on 3.2.250.

Examples

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test
rules:
  - apiGroups:
      - my-custom.api.group
    resources:
      - "*"
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: test
subjects:
  - kind: ServiceAccount
    name: my-cool-service-account
    namespace: my-namespace

The Prometheus-Adapter Helm Chart also runs into this issue.

Version (please complete the following information):

  • Checkov Version 3.2.257
@m-wynn m-wynn added the checks Check additions or changes label Oct 11, 2024
@itariq20
Copy link

itariq20 commented Oct 25, 2024
edited
Loading

@m-wynn Hi, I tested this Checkov Version 3.2.250. The example file you provided above does trigger a number of K8s Policies, not sure if this was different in even earlier version. Anyhow, this is what I'm seeing with 3.2.250:

`checkov -f ckv2_k8s_1.yaml 
[ kubernetes framework ]: 100%|████████████████████|[1/1], Current File Scanned=ckv2_k8s_1.yaml
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=ckv2_k8s_1.yaml
[ secrets framework ]:   0%|                    |[0/1], Current File Scanned=ckv2_k8s_1.yaml

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By Prisma Cloud | version: 3.2.250 
Update available 3.2.250 -> 3.2.269
Run pip3 install -U checkov to update 


kubernetes scan results:

Passed checks: 5, Failed checks: 1, Skipped checks: 0

Check: CKV_K8S_156: "Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests"
	PASSED for resource: ClusterRole.default.test
	File: /ckv2_k8s_1.yaml:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-permissions-to-approve-certificatesigningrequests-are-minimized
Check: CKV_K8S_158: "Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles"
	PASSED for resource: ClusterRole.default.test
	File: /ckv2_k8s_1.yaml:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-escalate-roles-or-clusterrole-are-minimized
Check: CKV_K8S_155: "Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations"
	PASSED for resource: ClusterRole.default.test
	File: /ckv2_k8s_1.yaml:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-clusterroles-that-grant-control-over-validating-or-mutating-admission-webhook-configurations-are-minimized
Check: CKV_K8S_157: "Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings"
	PASSED for resource: ClusterRole.default.test
	File: /ckv2_k8s_1.yaml:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-roles-and-clusterroles-that-grant-permissions-to-bind-rolebindings-or-clusterrolebindings-are-minimized
Check: CKV_K8S_42: "Ensure that default service accounts are not actively used"
	PASSED for resource: ClusterRoleBinding.default.my-cluster-role-binding
	File: /ckv2_k8s_1.yaml:14-25
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-default-service-accounts-are-not-actively-used
Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
	FAILED for resource: ClusterRole.default.test
	File: /ckv2_k8s_1.yaml:2-13
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles

		2  | apiVersion: rbac.authorization.k8s.io/v1
		3  | kind: ClusterRole
		4  | metadata:
		5  |   name: test
		6  | rules:
		7  |   - apiGroups:
		8  |       - my-custom.api.group
		9  |     resources:
		10 |       - "*"
		11 |     verbs:
		12 |       - "*"
		13 | ---

`

@m-wynn
Copy link
Contributor Author

m-wynn commented Oct 26, 2024

Yes, this passes on the .250 version but not the most recent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m-wynn @itariq20