Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries¶
Description¶
A wildcard resource entry matches all resources. A wildcard verb entry matches all actions. This violates the principle of least privilege, since roles should only grant access to those resources and actions which are necessary for the workload to function.
Remediation Steps¶
Kubernetes Manifest (YAML)¶
Ensure that ClusterRole and Roles do not have wildcards.
Example Configuration¶
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "deployments", "configmaps", "services", "endpoints"]
verbs: ["get", "watch", "list"]
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: example-name
name: example-name
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "deployments", "configmaps", "services", "endpoints"]
verbs: ["get", "watch", "list"]