Create CertificateSigningRequests

Overview

Field	Value
ID	1053
Name	Create CertificateSigningRequests
Risk Category	Spoofing
Risk Level	Medium
Role Type	ClusterRole
API Groups	certificates.k8s.io
Resources	certificatesigningrequests
Risky Verb Combinations	[create]
Tags	CSRCreation PotentialPrivilegeEscalation Spoofing

Description

Allows creating CertificateSigningRequests. While creating a CSR itself isn’t immediately dangerous, if an overly permissive or automated signer approves it, it can lead to the issuance of a certificate with unintended privileges, facilitating spoofing or potential privilege escalation.

Abuse Scenarios

Create a CertificateSigningRequest for a new user or group.

# Generate a private key and CSR
openssl genrsa -out user.key 2048
openssl req -new -key user.key -out user.csr -subj "/CN=<username>/O=<group>"
# Create the CSR object in Kubernetes
kubectl certificate create <csr-name> --csr=user.csr --request-name=<request-name>
# Example: openssl genrsa -out admin.key 2048 && openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/O=system:masters" && kubectl certificate create admin-csr --csr=admin.csr --request-name=admin-request