檢視次數:
設定檔適用性:等級 1
Kubernetes API 會儲存秘密,這些秘密可能是 Kubernetes API 的服務帳戶令牌或叢集中工作負載使用的憑證。應限制這些秘密的存取權限至最小的使用者群體,以降低權限升級的風險。
在 Kubernetes 叢集中不當存取儲存的機密可能使攻擊者獲得對 Kubernetes 叢集或其憑證以機密形式儲存的外部資源的額外存取權限。

影響

應注意不要移除系統元件運行所需的機密存取權限

稽核

檢查在 Kubernetes API 中擁有 get、list 或 watch 訪問權限的 secrets 物件的使用者。
以下是命令,用於列印每個符合條件的角色中被授予 get、list 或 watch 權限的物件,包括透過通配符授予存取權的角色,例如資源:["","secrets/"] 或動詞:["*"]
kubectl get clusterrole,role -A -o json | jq -r ' def wanted: ["get","list","watch"]; .items[] as $r | [ $r.rules[]? | select( ((.apiGroups? // [""]) | any(.=="" or .=="*")) and ((.resources? // []) | any(.=="secrets" or .=="secrets/*" or .=="*")) and ((.verbs? // []) | any(.=="*" or .=="get" or .=="list" or .=="watch")) ) | if ((.verbs? // []) | any(.=="*")) then wanted[] else (.verbs[]? | select(IN("get","list","watch"))) end ] as $verbs | select($verbs | length > 0) | "\($r.kind): \($r.metadata.name) (namespace: \($r.metadata.namespace // "cluster-wide")) | verbs: \($verbs | unique | join(","))" '
範例輸出:
ClusterRole: admin (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: cluster-admin (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: edit (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:aggregate-to-edit (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:cloud-controller-manager (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:controller:generic-garbage-collector (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:controller:namespace-controller (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:controller:resourcequota-controller (namespace: cluster-wide) | verbs: list,watch
ClusterRole: system:gcp-controller-manager (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:gke-common-webhooks (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:glbc-status (namespace: cluster-wide) | verbs: get
ClusterRole: system:kube-controller-manager (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:kubestore-collector (namespace: cluster-wide) | verbs: get,list,watch
ClusterRole: system:node (namespace: cluster-wide) | verbs: get,list,watch
Role: operator (namespace: gmp-public) | verbs: get,list,watch
Role: operator (namespace: gmp-system) | verbs: get,list,watch
Role: system:controller:bootstrap-signer (namespace: kube-system) | verbs: get,list,watch
Role: system:controller:token-cleaner (namespace: kube-system) | verbs: get,list,watch

補救

在可能的情況下,移除叢集中對秘密物件的取得、列出或監視存取權限。

預設值

CLUSTERROLEBINDING                                    SUBJECT
TYPE                      SA-NAMESPACE
cluster-admin                                                  system:masters
Group
system:controller:clusterrole-aggregation-controller           clusterroleaggregation-
controller ServiceAccount kube-system
system:controller:expand-controller                            expand-controller
ServiceAccount kube-system
system:controller:generic-garbage-collector                    generic-garbagecollector
ServiceAccount kube-system
system:controller:namespace-controller                         namespace-controller
ServiceAccount kube-system
system:controller:persistent-volume-binder                     persistent-volumebinder
ServiceAccount kube-system
system:kube-controller-manager                                 system:kube-controllermanager 
    User