Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries Affecting Role service in Kubernetes
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00652
- creditSnyk Research Team
Description
Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries. A wildcard resource entry matches all resources. A wildcard verb entry matches all actions. A wildcard apiGroup matches all API groups. This violates the principle of least privilege, since roles should only grant access to those resources and actions which are necessary for the workload to function.
How to fix?
Ensure rule.verbs, rule.resources, and rule.apiGroups attribute in ClusterRole and Role are not set to *.
Example Configuration
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: valid-role
rules:
- apiGroups: ["v1"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: valid-role
rules:
- apiGroups: ["v1"]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
Set the api_groups, resources, verbs attribute in kubernetes_role and kubernetes_cluster_role are not set to *.
Example Configuration
resource "kubernetes_cluster_role" "allowed1" {
metadata {
name = "cluster-role"
}
rule {
api_groups = [""]
resources = ["namespaces", "pods"]
verbs = ["get", "list", "watch",]
}
}
resource "kubernetes_role" "allowed2" {
metadata {
name = "role"
}
rule {
api_groups = ["apps"]
resources = ["deployments"]
verbs = ["get", "list"]
}
}