Kubernetes template for checking service token permissions? #11545
-
|
Hi there, I have a question though is there a template that can check the service tokens assigned to pods and ensure they don't have the 'create' permission to ensure there is no pod breakout? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
@DhiyaneshGeek, fyi |
Beta Was this translation helpful? Give feedback.
-
|
Hi @domwhewell-sage, the response time to this discussion was much longer than usual. Thank you for taking the time to open this discussion. We don’t have a template to check the above scenario, but I wrote one. however, it hasn’t been validated yet. id: k8s-svc-token-create-perm
info:
name: Service Account Token Create Permission Check
author: princechaddha
severity: high
description: Checks if pods use service accounts with create permissions and automounted tokens, which could enable pod breakout scenarios.
impact: |
Pods using service accounts with create permissions and automounted tokens could potentially create new resources, leading to privilege escalation and pod breakout scenarios.
remediation: |
Review pod service account configurations by Disabling automountServiceAccountToken where not needed. Ensuring service accounts follow least privilege principle without create permissions
reference:
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
tags: cloud,devops,kubernetes,security,devsecops,pods,k8s,k8s-cluster-security
flow: |
code(1);
code(2);
code(3);
for (let pod of template.items) {
set("pod", pod);
for (let binding of template.bindings) {
set("binding", binding);
for (let role of template.roles) {
set("role", role);
javascript(1);
}
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get pods --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[]'
- engine:
- sh
- bash
source: kubectl get rolebindings,clusterrolebindings --all-namespaces -o json
extractors:
- type: json
name: bindings
internal: true
json:
- '.items[]'
- engine:
- sh
- bash
source: kubectl get roles,clusterroles --all-namespaces -o json
extractors:
- type: json
name: roles
internal: true
json:
- '.items[]'
javascript:
- code: |
let podData = JSON.parse(template.pod);
let bindingData = JSON.parse(template.binding);
let roleData = JSON.parse(template.role);
// Only check if token automounting is not explicitly disabled
if (podData.spec.automountServiceAccountToken !== false) {
const saName = podData.spec.serviceAccountName || 'default';
// Check if this binding is for our service account
if (bindingData.subjects &&
bindingData.subjects.some(subject =>
subject.kind === "ServiceAccount" &&
subject.name === saName &&
(subject.namespace === podData.metadata.namespace || bindingData.kind === "ClusterRoleBinding")
)) {
// Check if this role matches the binding's roleRef
if (roleData.kind === bindingData.roleRef.kind &&
roleData.metadata.name === bindingData.roleRef.name &&
(roleData.metadata.namespace === bindingData.metadata.namespace || roleData.kind === 'ClusterRole')) {
// Check for create permissions
if (roleData.rules && roleData.rules.some(rule =>
rule.verbs && rule.verbs.includes("create"))) {
let result = (`Pod '${podData.metadata.name}' in namespace '${podData.metadata.namespace}' uses ServiceAccount '${saName}' with automounted token and dangerous 'create' permissions from ${bindingData.roleRef.kind} '${bindingData.roleRef.name}'.`);
Export(result);
}
}
}
}
extractors:
- type: dsl
dsl:
- response |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @princechaddha I had opened a PR #11620 but this looks a better solution, feel free to close that PR for this |
Beta Was this translation helpful? Give feedback.
Hi @domwhewell-sage, the response time to this discussion was much longer than usual. Thank you for taking the time to open this discussion.
We don’t have a template to check the above scenario, but I wrote one. however, it hasn’t been validated yet.