Restrict ClusterRole Nodesproxy

Description

A ClusterRole with nodes/proxy resource access allows a user to perform anything the kubelet API allows. It also allows users to bypass the API server and talk directly to the kubelet potentially circumventing audits and admission controllers. Refer to the official Aquasec blog for more info. This policy prevents the creation of a ClusterRole if it contains the nodes/proxy resource.

Kyverno Policy

Refer to the Nirmata curated policies - restrict-clusterrole-nodesproxy.

Resource Example

Below are examples of two ClusterRole resources that do not have nodes/proxy resource.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: goodcr01
rules:
- apiGroups: [""]
  resources: ["pods", "namespaces"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "watch", "list"]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: goodcr02
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]