Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries Affecting Role service in Kubernetes

Severity Framework Snyk CCSS

Rule category IAM / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Kubernetes

Snyk ID SNYK-CC-00652
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries. A wildcard resource entry matches all resources. A wildcard verb entry matches all actions. This violates the principle of least privilege, since roles should only grant access to those resources and actions which are necessary for the workload to function.

How to fix?

Ensure rule.verbs attribute in ClusterRole and Role not to *.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: valid-role
rules:
  - apiGroups: ["v1"]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: valid-crole
rules:
  - apiGroups: ["v1"]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]

Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries Affecting Role service in Kubernetes

Description

How to fix?

Kubernetes

Terraform

References