Create CertificateSigningRequests
Spoofing
Medium
Overview
| Field | Value |
|---|---|
| ID | 1053 |
| Name | Create CertificateSigningRequests |
| Risk Category | Spoofing |
| Risk Level | Medium |
| Role Type | ClusterRole |
| API Groups | certificates.k8s.io |
| Resources | certificatesigningrequests |
| Verbs | create |
| Tags | CSRCreation PotentialPrivilegeEscalation Spoofing |
Description
Allows creating CertificateSigningRequests. While creating a CSR itself isn’t immediately dangerous, if an overly permissive or automated signer approves it, it can lead to the issuance of a certificate with unintended privileges, facilitating spoofing or potential privilege escalation.
Abuse Scenarios
- Create a CertificateSigningRequest for a new user or group.
# Generate a private key and CSR
openssl genrsa -out user.key 2048
openssl req -new -key user.key -out user.csr -subj "/CN=<username>/O=<group>"
# Create the CSR object in Kubernetes
kubectl certificate create <csr-name> --csr=user.csr --request-name=<request-name>
# Example: openssl genrsa -out admin.key 2048 && openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/O=system:masters" && kubectl certificate create admin-csr --csr=admin.csr --request-name=admin-request