Role with too wide permissions Affecting Deployment service in Kubernetes

Severity Framework Snyk CCSS

Rule category IAM / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00643
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.

How to fix?

Remove any wildcards [*] from rules.verbs and rules.resources.

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: allowed-role
rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

Kubernetes

Using RBAC Authorization

Terraform

kubernetes_role