APP.4.4.A3 Identitäts- und Berechtigungsmanagement bei Kubernetes
We can check this (partly) with a StackRox Policy which checks for least priviliges
Minimum RBAC Permissions
Match if the deployment’s Kubernetes service account has Kubernetes RBAC permission level equal to = or greater than > the specified level.
Minimum RBAC Permissions
One of:
DEFAULT
ELEVATED_IN_NAMESPACE
ELEVATED_CLUSTER_WIDE
CLUSTER_ADMIN
NOT
Deploy,
Runtime (when used with a Runtime criterion)
we must check the guidance and maybe discuss this in the richtlinien project.
Edited by Steffen Lützenkirchen