AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

Kubernetes clusters should not allow endpoint edit permissions of ClusterRole/system:aggregate-to-edit

1ddac26b-ed48-4c30-8cc5-3a68c79b8001

Version

3.2.0
Details on versioning

Versioning

Versions supported for Versioning: 2
3.1.0
3.2.0
Built-in Versioning [Preview]

Category

Kubernetes
Microsoft Learn

Description

ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.

Mode

Microsoft.Kubernetes.Data

Type

BuiltIn

Preview

False

Deprecated

False

Effect

Default
Audit
Allowed
Audit, Disabled

RBAC role(s)

none

Rule aliases

none

Rule resource types

IF (2)
Microsoft.ContainerService/managedClusters
Microsoft.Kubernetes/connectedClusters

Compliance

Not a Compliance control

Initiatives usage

none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2024-08-09 18:17:47	change	Minor (3.1.0 > 3.2.0)
2023-05-01 17:41:52	change	Minor (3.0.1 > 3.1.0)
2022-10-21 16:42:13	change	Patch (3.0.0 > 3.0.1)
2022-09-19 17:41:40	change	Major (2.0.0 > 3.0.0)
2022-06-10 16:31:21	change	Major (1.0.1 > 2.0.0)
2021-12-06 22:17:57	change	Patch (1.0.0 > 1.0.1)
2021-09-21 16:12:09	add	1ddac26b-ed48-4c30-8cc5-3a68c79b8001

JSON compare

compare mode: version left: version right:

JSON

api-version=2021-06-01
EPAC