APP.4.4.A3 Identitäts- und Berechtigungsmanagement bei Kubernetes

We can check this (partly) with a StackRox Policy which checks for least priviliges

Minimum RBAC Permissions
	

Match if the deployment’s Kubernetes service account has Kubernetes RBAC permission level equal to = or greater than > the specified level.
	

Minimum RBAC Permissions
	

One of:

DEFAULT
ELEVATED_IN_NAMESPACE
ELEVATED_CLUSTER_WIDE
CLUSTER_ADMIN
	

NOT
	

Deploy,
Runtime (when used with a Runtime criterion)

we must check the guidance and maybe discuss this in the richtlinien project.

Edited Nov 07, 2023 by Rainer Molitor