RBAC Roles Allow Privilege Escalation

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-access-001
  labels:
    severity: "critical"
    category: "access"
  annotations:
    rules.spotter.dev/title: "RBAC Roles Allow Privilege Escalation"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-269"
    rules.spotter.dev/description: "RBAC roles that grant `escalate` permissions can be abused to gain higher privileges."
spec:
  match:
    resources:
      kubernetes:
        apiGroups: ["rbac.authorization.k8s.io"]
        versions: ["v1"]
        kinds: ["Role", "ClusterRole"]
  cel: |
    object.kind in ["Role", "ClusterRole"] && has(object.rules) && object.rules.exists(r,
      has(r.resources) && has(r.verbs) &&
      r.resources.exists(res, res in ["roles", "clusterroles"]) &&
      r.verbs.exists(verb, verb in ["bind", "escalate", "*"])
    )
  remediation:
    manual: "Avoid granting `bind` & escalate` permissions in RBAC roles."
  references:
    - title: "Kubernetes RBAC"
      url: "https://kubernetes.io/docs/reference/access-authn-authz/rbac/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: rbac-binder
      namespace: kube-system
    rules:
    - apiGroups:
      - rbac.authorization.k8s.io
      resources:
      - clusterroles
      verbs:
      - bind
    - apiGroups:
      - rbac.authorization.k8s.io
      resources:
      - clusterrolebindings
      verbs:
      - create

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: not-rbac-binder
      namespace: kube-system
    rules:
    - apiGroups:
      - rbac.authorization.k8s.io
      resources:
      - clusterrolebindings
      verbs:
      - create

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-access-001
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-access-001
spec:
  # Add your VAP configuration here

Rule Metadata

RBAC Roles Allow Privilege Escalation

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub