Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-CC-00652
- credit Snyk Research Team
Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries. A wildcard resource entry matches all resources. A wildcard verb entry matches all actions. This violates the principle of least privilege, since roles should only grant access to those resources and actions which are necessary for the workload to function.
How to fix?
rule.verbs attribute in
Role not to
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: valid-role rules: - apiGroups: ["v1"] resources: ["configmaps"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: valid-crole rules: - apiGroups: ["v1"] resources: ["configmaps"] verbs: ["get", "list", "watch"]