Allowing command execution (exec) for roles in a Kubernetes cluster can pose a significant security risk. This is because it provides the user with the ability to execute arbitrary commands within a container, potentially leading to unauthorized access or data breaches.

In a production Kubernetes cluster, exec permissions are typically unnecessary due to the principle of least privilege, which suggests that a user or process should only have the minimum permissions necessary to perform its function. Additionally, containers in production are often treated as immutable infrastructure, meaning they should not be changed once deployed. Any changes should be made to the container image, which is then used to deploy a new container.

Ask Yourself Whether

• This role is given to people who are not administrators of the Kubernetes cluster.

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

Disable exec privileges for this role. The exec permissions are set by allowing the create verb for the pods/exec resource. Removing this permission will prevent users and services from executing arbitrary commands within containers.

Sensitive Code Example

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: example-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["pods/exec"] # Sensitive
    verbs: ["create"]

Compliant Solution

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: example-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get"]

See

• Kubernetes Documentation - Get a Shell to a Running Container
• CWE - CWE-284 - Improper Access Control