Guides
  1. kubernetes policies
  2. Kubernetes Role

Minimize wildcard use in Roles and ClusterRoles (RBAC)

Risk Level: Low
Cloud Entity: Kubernetes Role
CloudGuard Rule ID: D9.K8S.IAM.34
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesRole should not have rules contain [ (resources with ['%*%']) or (apiGroups with  ['%*%']) or (verbs with  ['%*%'])]

REMEDIATION

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

Kubernetes Role

An RBAC Role or ClusterRole contains rules that represent a set of permissions. Permissions are purely additive (there are no "deny" rules).

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3

Updated 7 months ago