last sync: 2022-Sep-30 16:34:23 UTC

Azure Policy definition

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Name Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit
Azure Portal
Id 1ddac26b-ed48-4c30-8cc5-3a68c79b8001
Version 3.0.0
details on versioning
Category Kubernetes
Microsoft docs
Description ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.
Mode Microsoft.Kubernetes.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Disabled)
Used RBAC Role none
Rule Aliases
Rule ResourceTypes IF (1)
Microsoft.ContainerService/managedClusters
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-19 17:41:40 change Major (2.0.0 > 3.0.0)
2022-06-10 16:31:21 change Major (1.0.1 > 2.0.0)
2021-12-06 22:17:57 change Patch (1.0.0 > 1.0.1) *changes on text case sensitivity are not tracked
2021-09-21 16:12:09 add 1ddac26b-ed48-4c30-8cc5-3a68c79b8001
Used in Initiatives none
JSON Changes

JSON