5.1.12 Minimize access to webhook configuration objects

Information

Users with rights to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects. This could allow for privilege escalation or disruption of the operation of the cluster.

The ability to manage webhook configuration should be limited

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects

See Also

https://workbench.cisecurity.org/benchmarks/17568

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4)

Plugin: Unix

Control ID: a12f0f4652e8d7a770e1be7c16f3c53f8fc40c10810a239641c7ca37ad731de2