kubescape
diff --git a/‎controls/C-0278-minimizeaccesstocreatepv.json
+29 b/‎controls/C-0278-minimizeaccesstocreatepv.json
+29
diff --git a/‎controls/C-0279-minimizeaccesstonodeproxy.json
+29 b/‎controls/C-0279-minimizeaccesstonodeproxy.json
+29
diff --git a/‎controls/C-0280-minimizeaccesstocertsigningreq.json
+29 b/‎controls/C-0280-minimizeaccesstocertsigningreq.json
+29
diff --git a/‎controls/C-0281-minimizeaccesstoadmissionwebhook.json
+29 b/‎controls/C-0281-minimizeaccesstoadmissionwebhook.json
+29
diff --git a/‎controls/C-0282-minimizeaccesstoserviceaccountcreate.json
+29 b/‎controls/C-0282-minimizeaccesstoserviceaccountcreate.json
+29
diff --git a/‎rules/rule-can-access-proxy-subresource/raw.rego
+66 b/‎rules/rule-can-access-proxy-subresource/raw.rego
+66
diff --git a/‎rules/rule-can-access-proxy-subresource/rule.metadata.json
+28 b/‎rules/rule-can-access-proxy-subresource/rule.metadata.json
+28
diff --git a/‎rules/rule-can-access-proxy-subresource/test/clusterrole-clusterrolebinding/expected.json
+1 b/‎rules/rule-can-access-proxy-subresource/test/clusterrole-clusterrolebinding/expected.json
+1
diff --git a/‎rules/rule-can-access-proxy-subresource/test/clusterrole-clusterrolebinding/input/clusterrole.yaml
+8 b/‎rules/rule-can-access-proxy-subresource/test/clusterrole-clusterrolebinding/input/clusterrole.yaml
+8
diff --git a/‎rules/rule-can-access-proxy-subresource/test/clusterrole-clusterrolebinding/input/clusterrolebinding.yaml
+15 b/‎rules/rule-can-access-proxy-subresource/test/clusterrole-clusterrolebinding/input/clusterrolebinding.yaml
+15
@@ -0,0 +1,29 @@
+{
+    "name": "Minimize access to create persistent volumes",
+    "controlID": "C-0278",
+    "description": "The ability to create persistent volumes in a cluster can provide an opportunity for privilege escalation, via the creation of hostPath volumes. ",
+    "long_description": "The ability to create persistent volumes in a cluster can provide an opportunity for privilege escalation, via the creation of hostPath volumes. As persistent volumes are not covered by Pod Security Admission, a user with access to create persistent volumes may be able to get access to sensitive files from the underlying host even where restrictive Pod Security Admission policies are in place.",
+    "remediation": "Where possible, remove `create` access to `persistentvolume` objects in the cluster.",
+    "manual_test": "Review the users who have create access to persistentvolume objects in the Kubernetes API.",
+    "test": "Check which subjects have RBAC permissions to create persistentvolumes.",
+    "references": [
+        "https://workbench.cisecurity.org/sections/2633388/recommendations/4261959"
+    ],
+    "attributes": {
+    },
+    "rulesNames": [
+        "rule-can-create-pv"
+    ],
+    "baseScore": 5,
+    "impact_statement": "Care should be taken not to remove access to pods to system components which require this for their operation",
+    "category": {
+        "name" : "Access control"
+   },
+    "default_value": "By default in a kubeadm cluster the following list of principals have `create` privileges on `persistentvolume` objects ```CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACEcluster-admin                                         system:masters                      Group           system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-systemsystem:controller:daemon-set-controller               daemon-set-controller               ServiceAccount  kube-systemsystem:controller:job-controller                      job-controller                      ServiceAccount  kube-systemsystem:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-systemsystem:controller:replicaset-controller               replicaset-controller               ServiceAccount  kube-systemsystem:controller:replication-controller              replication-controller              ServiceAccount  kube-systemsystem:controller:statefulset-controller              statefulset-controller              ServiceAccount  kube-system```",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
+}
@@ -0,0 +1,29 @@
+{
+    "name": "Minimize access to the proxy sub-resource of nodes",
+    "controlID": "C-0279",
+    "description": "Users with access to the Proxy sub-resource of Node objects automatically have permissions to use the Kubelet API, which may allow for privilege escalation or bypass cluster security controls such as audit logs.",
+    "long_description": "Users with access to the Proxy sub-resource of Node objects automatically have permissions to use the Kubelet API, which may allow for privilege escalation or bypass cluster security controls such as audit logs. The Kubelet provides an API which includes rights to execute commands in any container running on the node. Access to this API is covered by permissions to the main Kubernetes API via the node object. The proxy sub-resource specifically allows wide ranging access to the Kubelet API. Direct access to the Kubelet API bypasses controls like audit logging (there is no audit log of Kubelet API access) and admission control.",
+    "remediation": "Where possible, remove access to the proxy sub-resource of node objects.",
+    "manual_test": "Review the users who have access to the proxy sub-resource of node objects in the Kubernetes API.",
+    "test": "Check which subjects have RBAC permissions to access the proxy sub-resource of node objects.",
+    "references": [
+        "https://workbench.cisecurity.org/sections/2633388/recommendations/4261961"
+    ],
+    "attributes": {
+    },
+    "rulesNames": [
+        "rule-can-access-proxy-subresource"
+    ],
+    "baseScore": 5,
+    "impact_statement": "Users with access to the proxy sub-resource of node objects automatically have permissions to use the Kubelet API, which may allow for privilege escalation or bypass cluster security controls such as audit logs.",
+    "category": {
+        "name" : "Access control"
+   },
+    "default_value": "By default in a kubeadm cluster the following list of principals have `create` privileges on `node/proxy` objects ```CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACEcluster-admin                                         system:masters                      Group           system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-systemsystem:controller:daemon-set-controller               daemon-set-controller               ServiceAccount  kube-systemsystem:controller:job-controller                      job-controller                      ServiceAccount  kube-systemsystem:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-systemsystem:controller:replicaset-controller               replicaset-controller               ServiceAccount  kube-systemsystem:controller:replication-controller              replication-controller              ServiceAccount  kube-systemsystem:controller:statefulset-controller              statefulset-controller              ServiceAccount  kube-system```",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
+}
@@ -0,0 +1,29 @@
+{
+    "name": "Minimize access to the approval sub-resource of certificatesigningrequests objects",
+    "controlID": "C-0280",
+    "description": "Users with access to the update the approval sub-resource of certificateaigningrequests objects can approve new client certificates for the Kubernetes API effectively allowing them to create new high-privileged user accounts.",
+    "long_description": "Users with access to the update the approval sub-resource of certificateaigningrequests objects can approve new client certificates for the Kubernetes API effectively allowing them to create new high-privileged user accounts. This can allow for privilege escalation to full cluster administrator, depending on users configured in the cluster",
+    "remediation": "Where possible, remove access to the approval sub-resource of certificatesigningrequests objects.",
+    "manual_test": "Review the users who have access to update the approval sub-resource of certificatesigningrequests objects in the Kubernetes API.",
+    "test": "Check which subjects have RBAC permissions to update the approval sub-resource of certificatesigningrequests objects.",
+    "references": [
+        "https://workbench.cisecurity.org/sections/2633388/recommendations/4261962"
+    ],
+    "attributes": {
+    },
+    "rulesNames": [
+        "rule-can-approve-certsigningreq"
+    ],
+    "baseScore": 5,
+    "impact_statement": "Users with access to the approval sub-resource of certificatesigningrequests objects can approve new client certificates for the Kubernetes API effectively allowing them to create new high-privileged user accounts.",
+    "category": {
+        "name" : "Access control"
+   },
+    "default_value": "By default in a kubeadm cluster the following list of principals have `update` privileges on `certificatesigningrequests/approval` objects ```CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACEcluster-admin                                         system:masters                      Group           system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-systemsystem:controller:daemon-set-controller               daemon-set-controller               ServiceAccount  kube-systemsystem:controller:job-controller                      job-controller                      ServiceAccount  kube-systemsystem:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-systemsystem:controller:replicaset-controller               replicaset-controller               ServiceAccount  kube-systemsystem:controller:replication-controller              replication-controller              ServiceAccount  kube-systemsystem:controller:statefulset-controller              statefulset-controller              ServiceAccount  kube-system```",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
+}
@@ -0,0 +1,29 @@
+{
+    "name": "Minimize access to webhook configuration objects",
+    "controlID": "C-0281",
+    "description": "Users with rights to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects. This could allow for privilege escalation or disruption of the operation of the cluster.",
+    "long_description": "Users with rights to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects. This could allow for privilege escalation or disruption of the operation of the cluster.",
+    "remediation": "Where possible, remove access to the validatingwebhookconfigurations or mutatingwebhookconfigurations objects",
+    "manual_test": "Review the users who have access to validatingwebhookconfigurations or mutatingwebhookconfigurations objects in the Kubernetes API.",
+    "test": "Check which subjects have RBAC permissions to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations objects.",
+    "references": [
+        "https://workbench.cisecurity.org/sections/2633388/recommendations/4261963"
+    ],
+    "attributes": {
+    },
+    "rulesNames": [
+        "rule-can-modify-admission-webhooks"
+    ],
+    "baseScore": 5,
+    "impact_statement": "Users with rights to create/modify/delete validatingwebhookconfigurations or mutatingwebhookconfigurations can control webhooks that can read any object admitted to the cluster, and in the case of mutating webhooks, also mutate admitted objects. This could allow for privilege escalation or disruption of the operation of the cluster.",
+    "category": {
+        "name" : "Access control"
+   },
+    "default_value": "By default in a kubeadm cluster the following list of principals have `create/modify/delete` privileges on `validatingwebhookconfigurations/mutatingwebhookconfigurations` objects ```CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACEcluster-admin                                         system:masters                      Group           system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-systemsystem:controller:daemon-set-controller               daemon-set-controller               ServiceAccount  kube-systemsystem:controller:job-controller                      job-controller                      ServiceAccount  kube-systemsystem:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-systemsystem:controller:replicaset-controller               replicaset-controller               ServiceAccount  kube-systemsystem:controller:replication-controller              replication-controller              ServiceAccount  kube-systemsystem:controller:statefulset-controller              statefulset-controller              ServiceAccount  kube-system```",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
+}
@@ -0,0 +1,29 @@
+{
+    "name": "Minimize access to the service account token creation",
+    "controlID": "C-0282",
+    "description": "Users with rights to create new service account tokens at a cluster level, can create long-lived privileged credentials in the cluster. This could allow for privilege escalation and persistent access to the cluster, even if the users account has been revoked.",
+    "long_description": "Users with rights to create new service account tokens at a cluster level, can create long-lived privileged credentials in the cluster. This could allow for privilege escalation and persistent access to the cluster, even if the users account has been revoked.",
+    "remediation": "Where possible, remove access to the token sub-resource of serviceaccount objects.",
+    "manual_test": "Review the users who have access to create the token sub-resource of serviceaccount objects in the Kubernetes API.",
+    "test": "Check which subjects have RBAC permissions to create the token sub-resource of serviceaccount objects.",
+    "references": [
+        "https://workbench.cisecurity.org/sections/2633388/recommendations/4261965"
+    ],
+    "attributes": {
+    },
+    "rulesNames": [
+        "rule-can-create-service-account-token"
+    ],
+    "baseScore": 5,
+    "impact_statement": "Users with rights to create new service account tokens at a cluster level, can create long-lived privileged credentials in the cluster. This could allow for privilege escalation and persistent access to the cluster, even if the users account has been revoked.",
+    "category": {
+        "name" : "Access control"
+   },
+    "default_value": "By default in a kubeadm cluster the following list of principals have `create` privileges on `serviceaccount/token` objects ```CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACEcluster-admin                                         system:masters                      Group           system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-systemsystem:controller:daemon-set-controller               daemon-set-controller               ServiceAccount  kube-systemsystem:controller:job-controller                      job-controller                      ServiceAccount  kube-systemsystem:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-systemsystem:controller:replicaset-controller               replicaset-controller               ServiceAccount  kube-systemsystem:controller:replication-controller              replication-controller              ServiceAccount  kube-systemsystem:controller:statefulset-controller              statefulset-controller              ServiceAccount  kube-system```",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
+}
@@ -0,0 +1,66 @@
+package armo_builtins
+
+import future.keywords.in
+
+# fails if user has access to proxy subresources
+deny[msga] {
+	subjectVector := input[_]
+	role := subjectVector.relatedObjects[i]
+	rolebinding := subjectVector.relatedObjects[j]
+	endswith(role.kind, "Role")
+	endswith(rolebinding.kind, "Binding")
+
+	rule := role.rules[p]
+
+	subject := rolebinding.subjects[k]
+	is_same_subjects(subjectVector, subject)
+
+is_same_subjects(subjectVector, subject)
+	rule_path := sprintf("relatedObjects[%d].rules[%d]", [i, p])
+
+	verbs := ["get", "create", "connect","*"]
+	verb_path := [sprintf("%s.verbs[%d]", [rule_path, l]) | verb = rule.verbs[l]; verb in verbs]
+	count(verb_path) > 0
+
+	api_groups := ["", "*"]
+	api_groups_path := [sprintf("%s.apiGroups[%d]", [rule_path, a]) | apiGroup = rule.apiGroups[a]; apiGroup in api_groups]
+	count(api_groups_path) > 0
+
+	resources := ["nodes/proxy", "*"]
+	resources_path := [sprintf("%s.resources[%d]", [rule_path, l]) | resource = rule.resources[l]; resource in resources]
+	count(resources_path) > 0
+
+	path := array.concat(resources_path, verb_path)
+	path2 := array.concat(path, api_groups_path)
+	finalpath := array.concat(path2, [
+		sprintf("relatedObjects[%d].subjects[%d]", [j, k]),
+		sprintf("relatedObjects[%d].roleRef.name", [j]),
+	])
+
+	msga := {
+		"alertMessage": sprintf("Subject: %s-%s can access proxy subresources", [subjectVector.kind, subjectVector.name]),
+		"alertScore": 3,
+		"reviewPaths": finalpath,
+		"failedPaths": finalpath,
+		"fixPaths": [],
+		"packagename": "armo_builtins",
+		"alertObject": {
+			"k8sApiObjects": [],
+			"externalObjects": subjectVector,
+		},
+	}
+}
+
+# for service accounts
+is_same_subjects(subjectVector, subject) {
+	subjectVector.kind == subject.kind
+	subjectVector.name == subject.name
+	subjectVector.namespace == subject.namespace
+}
+
+# for users/ groups
+is_same_subjects(subjectVector, subject) {
+	subjectVector.kind == subject.kind
+	subjectVector.name == subject.name
+	subjectVector.apiGroup == subject.apiGroup
+}
@@ -0,0 +1,28 @@
+{
+    "name": "rule-can-access-proxy-subresource",
+    "attributes": {
+      "resourcesAggregator": "subject-role-rolebinding",
+      "useFromKubescapeVersion": "v1.0.133"
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "rbac.authorization.k8s.io"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+            "Role",
+            "ClusterRole",
+            "ClusterRoleBinding",
+            "RoleBinding"
+          ]
+      }
+    ],
+    "ruleDependencies": [],
+    "description": "determines which users can access proxy subresources",
+    "remediation": "",
+    "ruleQuery": "armo_builtins"
+  }
@@ -0,0 +1 @@
+[]
@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["pods", "rolebindings"]
+  verbs: ["create", "watch", "list"]
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: read-secrets-global
+subjects:
+- kind: Group
+  name: manager
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: dev
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: test
+  apiGroup: rbac.authorization.k8s.io