fix(checks): improve detection logic for AVD-KSV-0050#514
fix(checks): improve detection logic for AVD-KSV-0050#514simar7 merged 3 commits intoaquasecurity:mainfrom
Conversation
The check now only flags truly critical verbs (escalate, bind, impersonate) on roles/rolebindings. Regular CRUD operations (create, update, delete, deletecollection) are not flagged as Kubernetes RBAC prevents privilege escalation by default. As explained in the issue, Kubernetes API prevents roles from being created with more privileges than the authorizer unless escalate or bind permissions are present. Only escalate, bind, and impersonate directly allow privilege escalation. Refs: #9826 Refs: #9744
|
|
| # custom: | ||
| # id: KSV-0050 | ||
| # long_id: kubernetes-no-manage-rbac-resources | ||
| # long_id: kubernetes-no-privilege-escalation-rbac |
There was a problem hiding this comment.
The old identifier must be added to the alias to maintain compatibility if someone is already using it in ignore rules.
|
Hi @syedazeez337 ! Thanks for your contribution! I left a comment. Can you run |
…-0050 Add the old long_id 'kubernetes-no-manage-rbac-resources' to aliases to maintain compatibility for users with existing ignore rules. Run 'make docs' to regenerate documentation.
|
Hi @nikpivkin , I have update the docs and made the change you asked for. Let me know if everything looks good |
| # custom: | ||
| # id: KSV-0050 | ||
| # long_id: kubernetes-no-manage-rbac-resources | ||
| # long_id: kubernetes-no-privilege-escalation-rbac |
There was a problem hiding this comment.
I meant that if long_id or any other identifier changes, it should be added to the alias.
…V-0050 Keep the original 'no-manage-rbac-resources' alias that existed in main to maintain backward compatibility for users with existing ignore rules.
|
Hi @nikpivkin , thank you for your support and guidance and @simar7 thank you for approving the PR. I would like to get more involved in the project. Let me know if there is community I can join so the I can be part of the conversation. |
|
Hi @syedazeez337, thanks! Issues and Discussions in the Trivy repository are great places to follow ongoing conversations, suggest ideas, and engage with the developers. |
4 participants
The check now only flags truly critical verbs (escalate, bind, impersonate) on roles/rolebindings. Regular CRUD operations (create, update, delete, deletecollection) are not flagged as Kubernetes RBAC prevents privilege escalation by default.
As explained in the issue, Kubernetes API prevents roles from being created with more privileges than the authorizer unless escalate or bind permissions are present. Only escalate, bind, and impersonate directly allow privilege escalation.
Refs: #9826
Refs: #9744