Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries¶

Description¶

A wildcard resource entry matches all resources. A wildcard verb entry matches all actions. This violates the principle of least privilege, since roles should only grant access to those resources and actions which are necessary for the workload to function.

Remediation Steps¶

Kubernetes Manifest (YAML)¶

Ensure that ClusterRole and Roles do not have wildcards.

Example Configuration¶

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-name
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["pods", "deployments", "configmaps", "services", "endpoints"]
    verbs: ["get", "watch", "list"]

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: example-name
  name: example-name
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["pods", "deployments", "configmaps", "services", "endpoints"]
    verbs: ["get", "watch", "list"]

Documentation Links¶

Kubernetes Manifest¶

Using RBAC Authorization