[TEMPLATE CONTRIBUTION] Kubernetes dangerous RBAC permissions

[domwhewell-sage]

Is there an existing template for this?

• I have searched the existing templates.

Nuclei Template

id: k8s-role-pod-create

info:
  name: Roles that have pod create permissions
  author: domwhewell-sage
  severity: low
  description: Checks for roles that have permissions to create pods.
  impact: |
    Pods that have the service account with a role that allows them to create pods, could allow a pod breakout.
  remediation: Configure pods so they are not assigned the permission to create other pods
  reference:
    - https://kubernetes.io/docs/concepts/security/rbac-good-practices/#least-privilege
    - https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/index.html
  tags: cloud,devops,kubernetes,devsecops,roles,k8s,k8s-cluster-security

flow: |
  code(1);
  for (let role of template.items) {
    set("role", role)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get role --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[]'

javascript:
  - code: |
        let role = JSON.parse(template.role);
        let riskyRules = 0;
        role.rules.forEach(rule => {
          if ((rule.resources.includes("pods") && rule.verbs.includes("create")) || 
              (rule.resources.includes("pods") && rule.verbs.includes("*")) ||
              (rule.resources.includes("*") && rule.verbs.includes("create")) || 
              (rule.resources.includes("*") && rule.verbs.includes("*"))) {
            riskyRules++;
          }
        });
        if (riskyRules > 0) {
          let result = (`Role '${role.metadata.name}' in namespace '${role.metadata.namespace}' has ${riskyRules} rule(s) with 'pods' resource and 'create' verb.`);
          Export(result);
        }

    extractors:
      - type: dsl
        dsl:
          - response

Relevant dumped responses

{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "rbac.authorization.k8s.io/v1",
            "kind": "Role",
            "metadata": {
                "annotations": {
                    "meta.helm.sh/release-name": "createall",
                    "meta.helm.sh/release-namespace": "createall"
                },
                "creationTimestamp": "2025-02-03T11:17:54Z",
                "labels": {
                    "app.kubernetes.io/managed-by": "Helm"
                },
                "name": "createall-role",
                "namespace": "dangerousroles",
                "resourceVersion": "270205171",
                "uid": "539e3c8a-8e86-4d93-987b-d74faae0f2b4"
            },
            "rules": [
                {
                    "apiGroups": [
                        ""
                    ],
                    "resources": [
                        "*"
                    ],
                    "verbs": [
                        "create"
                    ]
                }
            ]
        },
        {
            "apiVersion": "rbac.authorization.k8s.io/v1",
            "kind": "Role",
            "metadata": {
                "annotations": {
                    "meta.helm.sh/release-name": "podbreakout",
                    "meta.helm.sh/release-namespace": "podbreakout"
                },
                "creationTimestamp": "2025-02-03T11:17:54Z",
                "labels": {
                    "app.kubernetes.io/managed-by": "Helm"
                },
                "name": "podbreakout-role",
                "namespace": "dangerousroles",
                "resourceVersion": "270205171",
                "uid": "539e3c8a-8e86-4d93-987b-d74faae0f2b4"
            },
            "rules": [
                {
                    "apiGroups": [
                        ""
                    ],
                    "resources": [
                        "pods"
                    ],
                    "verbs": [
                        "create"
                    ]
                }
            ]
        },
        {
            "apiVersion": "rbac.authorization.k8s.io/v1",
            "kind": "Role",
            "metadata": {
                "annotations": {
                    "meta.helm.sh/release-name": "allperms",
                    "meta.helm.sh/release-namespace": "allperms"
                },
                "creationTimestamp": "2025-02-03T11:17:54Z",
                "labels": {
                    "app.kubernetes.io/managed-by": "Helm"
                },
                "name": "allperms-role",
                "namespace": "dangerousroles",
                "resourceVersion": "270205171",
                "uid": "539e3c8a-8e86-4d93-987b-d74faae0f2b4"
            },
            "rules": [
                {
                    "apiGroups": [
                        ""
                    ],
                    "resources": [
                        "pods"
                    ],
                    "verbs": [
                        "*"
                    ]
                }
            ]
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}

Anything else?

This template should flag up roles with dangerous permissions to create pods, potentially allowing for pod breakout #11545

[GeorginaReeder]

Thanks for your contribution @domwhewell-sage , we appreciate it!