☑️ Prevent use of wildcards in Roles and ClusterRoles
Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items.
Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.
Targeted objects by this rule (types of kind): Role / ClusterRole
Complexity: medium (What does this mean?)
Policy as code identifier: CIS_INVALID_WILDCARD_ROLE
This rule will fail
If wildcards are used in the resources or verbs fields of a Role or ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
rules:
- resources: ["*"]
verbs: ["get", "watch", "list"]
Rule output in the CLI
$ datree test *.yaml
>> File: failExample.yaml
❌ Prevent use of wildcards in Roles and ClusterRoles [1 occurrence]
💡 Incorrect value for key `apiGroups`/`resources`/`verbs` - wildcards may provide excessive rights and should only be used when necessary
How to fix this failure
Explicitly define your desired resources/verbs:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
rules:
- resources: ["pods"]
verbs: ["get", "watch", "list"]