Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

re-add attack track external-workload-with-cluster-takeover-roles #619

Merged
merged 2 commits into from
Apr 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions attack-tracks/external-workload-with-cluster-takeover-roles.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"apiVersion": "regolibrary.kubescape/v1alpha1",
"kind": "AttackTrack",
"metadata": {
"name": "external-workload-with-cluster-takeover-roles"
},
"spec": {
"version": "1.0",
"data": {
"name": "Initial Access",
"description": "An attacker can access the Kubernetes environment.",
"subSteps": [
{
"name": "Cluster Access",
"description": "An attacker has access to sensitive information and can leverage them by creating pods in the cluster."
}
]
}
}
}
6 changes: 6 additions & 0 deletions controls/C-0256-exposuretointernet.json
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@
"Initial Access"
]
},
{
"attackTrack": "external-workload-with-cluster-takeover-roles",
"categories": [
"Initial Access"
]
},
{
"attackTrack": "external-database-without-authentication",
"categories": [
Expand Down
6 changes: 6 additions & 0 deletions controls/C-0266-exposuretointernet-gateway.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,12 @@
"categories": [
"Initial Access"
]
},
{
"attackTrack": "external-workload-with-cluster-takeover-roles",
"categories": [
"Initial Access"
]
}
]
},
Expand Down
17 changes: 13 additions & 4 deletions controls/C-0267-workloadwithclustertakeoverroles.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,16 @@
"controlTypeTags": [
"security"
],
"attackTracks": []
"attackTracks": [
{
"attackTrack": "external-workload-with-cluster-takeover-roles",
"categories": [
"Cluster Access"
],
"displayRelatedResources": true,
"clickableResourceKind": "ServiceAccount"
}
]
},
"description": "Cluster takeover roles include workload creation or update and secret access. They can easily lead to super privileges in the cluster. If an attacker can exploit this workload then the attacker can take over the cluster using the RBAC privileges this workload is assigned to.",
"remediation": "You should apply least privilege principle. Make sure each service account has only the permissions that are absolutely necessary.",
Expand All @@ -16,12 +25,12 @@
"controlID": "C-0267",
"baseScore": 6.0,
"category": {
"name" : "Workload"
},
"name": "Workload"
},
"scanningScope": {
"matches": [
"cluster",
"file"
]
}
}
}
2 changes: 1 addition & 1 deletion rules/outdated-k8s-version/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ deny[msga] {

has_outdated_version(version) {
# the `supported_k8s_versions` is validated in the validations script against "https://api.github.com/repos/kubernetes/kubernetes/releases"
supported_k8s_versions := ["v1.29", "v1.28", "v1.27"]
supported_k8s_versions := ["v1.30", "v1.29", "v1.28"]
every v in supported_k8s_versions{
not startswith(version, v)
}
Expand Down
Loading