Merge pull request #619 from kubescape/new-ac

re-add attack track external-workload-with-cluster-takeover-roles
kubescape · Apr 21, 2024 · 7f4ba54 · 7f4ba54
2 parents d77150c + a97dbf9
commit 7f4ba54
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 5 deletions.
diff --git a/attack-tracks/external-workload-with-cluster-takeover-roles.json b/attack-tracks/external-workload-with-cluster-takeover-roles.json
@@ -0,0 +1,20 @@
+{
+    "apiVersion": "regolibrary.kubescape/v1alpha1",
+    "kind": "AttackTrack",
+    "metadata": {
+        "name": "external-workload-with-cluster-takeover-roles"
+    },
+    "spec": {
+        "version": "1.0",
+        "data": {
+            "name": "Initial Access",
+            "description": "An attacker can access the Kubernetes environment.",
+            "subSteps": [
+                {
+                    "name": "Cluster Access",
+                    "description": "An attacker has access to sensitive information and can leverage them by creating pods in the cluster."
+                }
+            ]
+        }
+    }
+}
diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json
@@ -17,6 +17,12 @@
                     "Initial Access"
                 ]
             },
+            {
+                "attackTrack": "external-workload-with-cluster-takeover-roles",
+                "categories": [
+                    "Initial Access"
+                ]
+            },
             {
                 "attackTrack": "external-database-without-authentication",
                 "categories": [

diff --git a/controls/C-0266-exposuretointernet-gateway.json b/controls/C-0266-exposuretointernet-gateway.json
@@ -16,6 +16,12 @@
                 "categories": [
                     "Initial Access"
                 ]
+            },
+            {
+                "attackTrack": "external-workload-with-cluster-takeover-roles",
+                "categories": [
+                    "Initial Access"
+                ]
             }
         ]
     },

diff --git a/controls/C-0267-workloadwithclustertakeoverroles.json b/controls/C-0267-workloadwithclustertakeoverroles.json
@@ -4,7 +4,16 @@
         "controlTypeTags": [
             "security"
         ],
-        "attackTracks": []
+        "attackTracks": [
+            {
+                "attackTrack": "external-workload-with-cluster-takeover-roles",
+                "categories": [
+                    "Cluster Access"
+                ],
+                "displayRelatedResources": true,
+                "clickableResourceKind": "ServiceAccount"
+            }
+        ]
     },
     "description": "Cluster takeover roles include workload creation or update and secret access. They can easily lead to super privileges in the cluster. If an attacker can exploit this workload then the attacker can take over the cluster using the RBAC privileges this workload is assigned to.",
     "remediation": "You should apply least privilege principle. Make sure each service account has only the permissions that are absolutely necessary.",
@@ -16,12 +25,12 @@
     "controlID": "C-0267",
     "baseScore": 6.0,
     "category": {
-        "name" : "Workload"
-   },
+        "name": "Workload"
+    },
     "scanningScope": {
         "matches": [
             "cluster",
             "file"
         ]
     }
-}
+}
diff --git a/rules/outdated-k8s-version/raw.rego b/rules/outdated-k8s-version/raw.rego
@@ -18,7 +18,7 @@ deny[msga] {
 
 has_outdated_version(version)  {
 	# the `supported_k8s_versions` is validated in the validations script against "https://api.github.com/repos/kubernetes/kubernetes/releases"
-    supported_k8s_versions := ["v1.29", "v1.28", "v1.27"] 
+    supported_k8s_versions := ["v1.30", "v1.29", "v1.28"] 
 	every v in supported_k8s_versions{
 		not startswith(version, v)
 	}