5.1.10 Minimize access to the proxy sub-resource of nodes

Information

Users with access to the Proxy sub-resource of Node objects automatically have permissions to use the Kubelet API, which may allow for privilege escalation or bypass cluster security controls such as audit logs.

The Kubelet provides an API which includes rights to execute commands in any container running on the node. Access to this API is covered by permissions to the main Kubernetes API via the node object. The proxy sub-resource specifically allows wide ranging access to the Kubelet API.

Direct access to the Kubelet API bypasses controls like audit logging (there is no audit log of Kubelet API access) and admission control.

The ability to use the proxy sub-resource of node objects opens up possibilities for privilege escalation and should be restricted, where possible.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Where possible, remove access to the proxy sub-resource of node objects.

See Also

https://workbench.cisecurity.org/benchmarks/17568

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4)

Plugin: Unix

Control ID: e9d785975cb6301b03e6ad2c244c1f7b3d0acdbb3804a5e094864d25cea2d0ce