yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: legacy-api-clusterrole-excessive-permissions
    patterns:
      - pattern: |
          "*"
      - pattern-inside: |
          resources: $A
          ...
      - pattern-inside: |
          verbs: $A
          ...
      - pattern-inside: |
          - apiGroups: [""]
            ...
      - pattern-inside: |
          apiVersion: rbac.authorization.k8s.io/v1
          ...
      - pattern-inside: |
          kind: ClusterRole
          ...
    message: "Semgrep detected a Kubernetes core API ClusterRole with excessive
      permissions. Attaching excessive permissions to a ClusterRole associated
      with the core namespace allows the V1 API to perform arbitrary actions on
      arbitrary resources attached to the cluster. Prefer explicit allowlists of
      verbs/resources when configuring the core API namespace. "
    languages:
      - yaml
    severity: WARNING
    metadata:
      cwe:
        - "CWE-269: Improper Privilege Management"
      owasp:
        - A05:2021 - Security Misconfiguration
        - A06:2017 - Security Misconfiguration
      references:
        - https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
        - https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice
        - https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups
      category: security
      technology:
        - kubernetes
      cwe2021-top25: false
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization

Examples

legacy-api-clusterrole-excessive-permissions.test.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: bad-role
rules:
  # ok: legacy-api-clusterrole-excessive-permissions
  - apiGroups:
      - apps
    resources:
      - "*"
    verbs:
      - "*"
  - apiGroups:
      - ""
    resources:
  # ruleid: legacy-api-clusterrole-excessive-permissions
      - "*"
    verbs:
  # ruleid: legacy-api-clusterrole-excessive-permissions
      - "*"
  # ok: legacy-api-clusterrole-excessive-permissions
  - apiGroups:
      - ""
    resources: ["*"]
    verbs:
      - list
  # ok: legacy-api-clusterrole-excessive-permissions
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  
  - apiGroups: [""]
  # ruleid: legacy-api-clusterrole-excessive-permissions
    resources: ["*"]
  # ruleid: legacy-api-clusterrole-excessive-permissions
    verbs: ["*"]
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
      - customresourcedefinitions/status
    verbs:
      - "*"