From bd5acb688b55db3b0cec2613bbe27b8e46dd7887 Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource Date: Mon, 18 Dec 2023 10:54:06 +0000 Subject: [PATCH 1/6] Create rule S6867 --- rules/S6867/kubernetes/metadata.json | 25 ++++++++++++++++ rules/S6867/kubernetes/rule.adoc | 44 ++++++++++++++++++++++++++++ rules/S6867/metadata.json | 2 ++ 3 files changed, 71 insertions(+) create mode 100644 rules/S6867/kubernetes/metadata.json create mode 100644 rules/S6867/kubernetes/rule.adoc create mode 100644 rules/S6867/metadata.json diff --git a/rules/S6867/kubernetes/metadata.json b/rules/S6867/kubernetes/metadata.json new file mode 100644 index 00000000000..3db92129629 --- /dev/null +++ b/rules/S6867/kubernetes/metadata.json @@ -0,0 +1,25 @@ +{ + "title": "FIXME", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + ], + "defaultSeverity": "Major", + "ruleSpecification": "RSPEC-6867", + "sqKey": "S6867", + "scope": "All", + "defaultQualityProfiles": ["Sonar way"], + "quickfix": "unknown", + "code": { + "impacts": { + "MAINTAINABILITY": "HIGH", + "RELIABILITY": "MEDIUM", + "SECURITY": "LOW" + }, + "attribute": "CONVENTIONAL" + } +} diff --git a/rules/S6867/kubernetes/rule.adoc b/rules/S6867/kubernetes/rule.adoc new file mode 100644 index 00000000000..4bd440f87a8 --- /dev/null +++ b/rules/S6867/kubernetes/rule.adoc @@ -0,0 +1,44 @@ +FIXME: add a description + +// If you want to factorize the description uncomment the following line and create the file. +//include::../description.adoc[] + +== Why is this an issue? + +FIXME: remove the unused optional headers (that are commented out) + +//=== What is the potential impact? + +== How to fix it +//== How to fix it in FRAMEWORK NAME + +=== Code examples + +==== Noncompliant code example + +[source,text,diff-id=1,diff-type=noncompliant] +---- +FIXME +---- + +==== Compliant solution + +[source,text,diff-id=1,diff-type=compliant] +---- +FIXME +---- + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + + +//== Resources +//=== Documentation +//=== Articles & blog posts +//=== Conference presentations +//=== Standards +//=== External coding guidelines +//=== Benchmarks diff --git a/rules/S6867/metadata.json b/rules/S6867/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6867/metadata.json @@ -0,0 +1,2 @@ +{ +} From d2280dee8359587533955171fa229e51a4f063c8 Mon Sep 17 00:00:00 2001 From: Daniel Teuchert Date: Mon, 18 Dec 2023 15:45:06 +0100 Subject: [PATCH 2/6] Added description --- rules/S6867/kubernetes/metadata.json | 18 ++++---- rules/S6867/kubernetes/rule.adoc | 63 ++++++++++++++++++++++++---- 2 files changed, 66 insertions(+), 15 deletions(-) diff --git a/rules/S6867/kubernetes/metadata.json b/rules/S6867/kubernetes/metadata.json index 3db92129629..6521507300a 100644 --- a/rules/S6867/kubernetes/metadata.json +++ b/rules/S6867/kubernetes/metadata.json @@ -1,6 +1,6 @@ { - "title": "FIXME", - "type": "CODE_SMELL", + "title": "Do not use wildcards when defining RBAC permissions", + "type": "VULNERABILITY", "status": "ready", "remediation": { "func": "Constant\/Issue", @@ -10,16 +10,20 @@ ], "defaultSeverity": "Major", "ruleSpecification": "RSPEC-6867", - "sqKey": "S6867", + "sqKey": "S6864", "scope": "All", + "securityStandards": { + "CWE": [ + 284 + ] + }, "defaultQualityProfiles": ["Sonar way"], "quickfix": "unknown", "code": { "impacts": { - "MAINTAINABILITY": "HIGH", - "RELIABILITY": "MEDIUM", - "SECURITY": "LOW" + "MAINTAINABILITY": "MEDIUM", + "SECURITY": "MEDIUM" }, - "attribute": "CONVENTIONAL" + "attribute": "COMPLETE" } } diff --git a/rules/S6867/kubernetes/rule.adoc b/rules/S6867/kubernetes/rule.adoc index 4bd440f87a8..d46a956b4d2 100644 --- a/rules/S6867/kubernetes/rule.adoc +++ b/rules/S6867/kubernetes/rule.adoc @@ -1,13 +1,19 @@ -FIXME: add a description +Do not use wildcards when defining RBAC permissions // If you want to factorize the description uncomment the following line and create the file. //include::../description.adoc[] == Why is this an issue? -FIXME: remove the unused optional headers (that are commented out) +Using wildcards when defining Role-Based Access Control (RBAC) permissions in Kubernetes can lead to significant security issues. This is because it grants overly broad permissions, potentially allowing access to sensitive resources. -//=== What is the potential impact? + +RBAC is designed to limit the access rights of users within the system by assigning roles to them. These roles define what actions a user can perform and on which resources. When a wildcard is used, it means that the role has access to all resources/verbs, bypassing the principle of least privilege. This principle states that a user should have only the minimal permissions they need to perform their job function. + + +=== What is the potential impact? + +If an attacker gains access to a role with wildcard permissions, they could potentially read, modify, or delete any resource in the Kubernetes cluster, leading to data breaches, service disruptions, or other malicious activities. == How to fix it //== How to fix it in FRAMEWORK NAME @@ -18,14 +24,30 @@ FIXME: remove the unused optional headers (that are commented out) [source,text,diff-id=1,diff-type=noncompliant] ---- -FIXME +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: example-role +rules: + - apiGroups: [""] + resources: ["*"] # Noncompliant + verbs: ["get", "list"] ---- ==== Compliant solution [source,text,diff-id=1,diff-type=compliant] ---- -FIXME +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: example-role +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] ---- //=== How does this work? @@ -35,10 +57,35 @@ FIXME //=== Going the extra mile -//== Resources -//=== Documentation +== Resources +=== Documentation + +* Kubernetes Documentation - https://kubernetes.io/docs/reference/access-authn-authz/rbac/[Using RBAC Authorization] + + //=== Articles & blog posts //=== Conference presentations -//=== Standards +=== Standards + +* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control +* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control +* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control + //=== External coding guidelines //=== Benchmarks + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message + +Do not use wildcards when defining RBAC permissions + + +=== Highlighting + +* Highlight the property that was set using a wildcart. +endif::env-github,rspecator-view[] \ No newline at end of file From 0f50456fa26a0929fa6b7e85c4f77faac48c0240 Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Date: Tue, 19 Dec 2023 11:32:36 +0100 Subject: [PATCH 3/6] Update rules/S6867/kubernetes/metadata.json Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> --- rules/S6867/kubernetes/metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S6867/kubernetes/metadata.json b/rules/S6867/kubernetes/metadata.json index 6521507300a..96725154d34 100644 --- a/rules/S6867/kubernetes/metadata.json +++ b/rules/S6867/kubernetes/metadata.json @@ -1,5 +1,5 @@ { - "title": "Do not use wildcards when defining RBAC permissions", + "title": "Wildcards should not be used to define RBAC permissions", "type": "VULNERABILITY", "status": "ready", "remediation": { From 39a2846b26a24c8866539499a557636f4b7c4fe5 Mon Sep 17 00:00:00 2001 From: Daniel Teuchert Date: Tue, 19 Dec 2023 11:40:06 +0100 Subject: [PATCH 4/6] Made adjustments from review --- rules/S6867/kubernetes/rule.adoc | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/rules/S6867/kubernetes/rule.adoc b/rules/S6867/kubernetes/rule.adoc index d46a956b4d2..29e01de46fc 100644 --- a/rules/S6867/kubernetes/rule.adoc +++ b/rules/S6867/kubernetes/rule.adoc @@ -1,8 +1,3 @@ -Do not use wildcards when defining RBAC permissions - -// If you want to factorize the description uncomment the following line and create the file. -//include::../description.adoc[] - == Why is this an issue? Using wildcards when defining Role-Based Access Control (RBAC) permissions in Kubernetes can lead to significant security issues. This is because it grants overly broad permissions, potentially allowing access to sensitive resources. @@ -16,13 +11,12 @@ RBAC is designed to limit the access rights of users within the system by assign If an attacker gains access to a role with wildcard permissions, they could potentially read, modify, or delete any resource in the Kubernetes cluster, leading to data breaches, service disruptions, or other malicious activities. == How to fix it -//== How to fix it in FRAMEWORK NAME === Code examples ==== Noncompliant code example -[source,text,diff-id=1,diff-type=noncompliant] +[source,yaml,diff-id=1,diff-type=noncompliant] ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -37,7 +31,7 @@ rules: ==== Compliant solution -[source,text,diff-id=1,diff-type=compliant] +[source,yaml,diff-id=1,diff-type=compliant] ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -67,9 +61,7 @@ rules: //=== Conference presentations === Standards -* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control * https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control -* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control //=== External coding guidelines //=== Benchmarks @@ -82,7 +74,7 @@ ifdef::env-github,rspecator-view[] === Message -Do not use wildcards when defining RBAC permissions +Do not use wildcards when defining RBAC permissions. === Highlighting From c9b2d0ba14ba6e66a08049d4c1584b60f79011cf Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Date: Tue, 19 Dec 2023 12:51:24 +0100 Subject: [PATCH 5/6] Update rules/S6867/kubernetes/rule.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> --- rules/S6867/kubernetes/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S6867/kubernetes/rule.adoc b/rules/S6867/kubernetes/rule.adoc index 29e01de46fc..f18391bbb5c 100644 --- a/rules/S6867/kubernetes/rule.adoc +++ b/rules/S6867/kubernetes/rule.adoc @@ -3,7 +3,7 @@ Using wildcards when defining Role-Based Access Control (RBAC) permissions in Kubernetes can lead to significant security issues. This is because it grants overly broad permissions, potentially allowing access to sensitive resources. -RBAC is designed to limit the access rights of users within the system by assigning roles to them. These roles define what actions a user can perform and on which resources. When a wildcard is used, it means that the role has access to all resources/verbs, bypassing the principle of least privilege. This principle states that a user should have only the minimal permissions they need to perform their job function. +RBAC is designed to limit the access rights of users within the system by assigning roles to them. These roles define what actions a user can perform and on which resources. When a wildcard is used, it means that the role has access to all resources/verbs, bypassing the principle of least privilege. This principle states that users should have only the minimal permissions they need to perform their job function. === What is the potential impact? From e79e817addad6e216ccc380c4df12e1140486828 Mon Sep 17 00:00:00 2001 From: Daniel Teuchert Date: Tue, 19 Dec 2023 12:55:43 +0100 Subject: [PATCH 6/6] Added How does this work section --- rules/S6867/kubernetes/rule.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/S6867/kubernetes/rule.adoc b/rules/S6867/kubernetes/rule.adoc index f18391bbb5c..36bb7ca6c0a 100644 --- a/rules/S6867/kubernetes/rule.adoc +++ b/rules/S6867/kubernetes/rule.adoc @@ -44,7 +44,9 @@ rules: verbs: ["get", "list"] ---- -//=== How does this work? +=== How does this work? + +When defining RBAC permissions, it is important to follow the principle of least privilege. By explicitly specifying the verbs and resources a user should have access to instead of using wildcards, it can be ensured that users have only the permissions they need to perform their job function. //=== Pitfalls