RoleBinding should not allow privilege escalation to a ServiceAccount or Node on other RoleBinding

Description

In Kubernetes, a RoleBinding is used to grant specific permissions to a user or group of users. These permissions, also known as "roles," determine what actions a user is allowed to perform within a Kubernetes cluster.

It is important to ensure that RoleBindings are configured in a way that does not allow privilege escalation. This means that a user with a RoleBinding should not be able to gain access to privileges that they are not explicitly granted through their RoleBinding.

Allowing privilege escalation would mean that a user could potentially gain unauthorized access to sensitive information or perform actions that they are not supposed to be able to perform. This could pose a security risk to the cluster, so it is important to prevent privilege escalation in RoleBindings.

One way to prevent privilege escalation in RoleBindings is to make sure that they are not granted to ServiceAccounts or Nodes. This is because ServiceAccounts and Nodes are not typically associated with individual users, so granting a RoleBinding to them could potentially allow any user who is able to access the ServiceAccount or Node to gain the privileges granted by the RoleBinding. This could lead to privilege escalation, so it is generally best to avoid granting RoleBindings to ServiceAccounts and Nodes.

Fix - Buildtime

apiVersion: v1
kind: RoleBinding
metadata:
  name: restricted-access
subjects:
- kind: ServiceAccount
  name: my-service-account
- kind: Node
  name: my-node
roleRef:
  kind: ClusterRole
  name: restricted-access
  apiGroup: rbac.authorization.k8s.io