☑️ Prevent containers from allowing command execution

Kubectl is a command-line tool for managing Kubernetes clusters. 'kubectl exec' allows a user to execute a command in a container. Attackers with permissions could run 'kubectl exec' to execute malicious code and compromise resources within a cluster.

Targeted objects by this rule (types of kind): Role / ClusterRole

Complexity: medium (What does this mean?)

Policy as code identifier: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE

This rule will fail

If the pods/exec resource and/or the create verb are used:

kind: Role
rules:
  - resources: ["pods/exec"]

kind: Role
rules:
  - verbs: ["create"]

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from allowing command execution[1 occurrence]
💡 Incorrect value for key `resources` and/or `verbs` - allowing containers to run the exec command can be exploited by attackers

How to fix this failure

Refrain from setting these privilieges in your Role and ClusterRole resources.

kind: Role
rules:
  - verbs: ["get"]

Redhat - Protecting Kubernetes Against MITRE attack

This rule will fail​

Rule output in the CLI​

How to fix this failure​

Read more​

This rule will fail

Rule output in the CLI

How to fix this failure

Read more