Skip to main content

☑️ Prevent use of wildcards in Roles and ClusterRoles

Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items.

Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.

Targeted objects by this rule (types of kind): Role / ClusterRole

Complexity: medium (What does this mean?)

Policy as code identifier: CIS_INVALID_WILDCARD_ROLE


This rule will fail​

If wildcards are used in the resources or verbs fields of a Role or ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
rules:
- resources: ["*"]
verbs: ["get", "watch", "list"]

Rule output in the CLI​

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent use of wildcards in Roles and ClusterRoles [1 occurrence]
💡 Incorrect value for key `apiGroups`/`resources`/`verbs` - wildcards may provide excessive rights and should only be used when necessary

How to fix this failure​

Explicitly define your desired resources/verbs:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
rules:
- resources: ["pods"]
verbs: ["get", "watch", "list"]

Read more​