Minimize wildcard use in Roles and ClusterRoles (RBAC)

Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard ' * ' which matches all items. Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product. The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.

Risk Level: Low
Cloud Entity: Kubernetes Role
CloudGuard Rule ID: D9.K8S.IAM.34
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KubernetesRole should not have rules contain [ (resources with ['%*%']) or (apiGroups with  ['%*%']) or (verbs with  ['%*%'])]

REMEDIATION

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

Kubernetes Role

An RBAC Role or ClusterRole contains rules that represent a set of permissions. Permissions are purely additive (there are no "deny" rules).

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices
  • OpenShift Container Platform v3