Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries Affecting Role service in Kubernetes

Snyk CCSS

IAM / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Kubernetes

Snyk ID SNYK-CC-00652
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries. A wildcard resource entry matches all resources. A wildcard verb entry matches all actions. A wildcard apiGroup matches all API groups. This violates the principle of least privilege, since roles should only grant access to those resources and actions which are necessary for the workload to function.

How to fix?

Ensure rule.verbs, rule.resources, and rule.apiGroups attribute in ClusterRole and Role are not set to *.

Example Configuration

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: valid-role
rules:
  - apiGroups: ["v1"]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: valid-role
rules:
  - apiGroups: ["v1"]
    resources: ["configmaps"]
    verbs: ["get", "list", "watch"]

Roles and cluster roles should not use wildcards for resource, verb, or apiGroup entries Affecting Role service in Kubernetes

Severity

Description

How to fix?

Example Configuration

Kubernetes

Terraform

References