C-0187 - Minimize wildcard use in Roles and ClusterRoles

Framework

cis-v1.23-t1.0.1, cis-aks-t1.2.0, ClusterScan, cis-eks-t1.2.0

Severity

High

Description of the the issue

The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.

Related resources

ClusterRole, ClusterRoleBinding, Role, RoleBinding

What does this control test

Check which subjects have wildcard RBAC permissions.

How to check it manually

Retrieve the roles defined across each namespaces in the cluster and review for wildcards

kubectl get roles --all-namespaces -o yaml

Retrieve the cluster roles defined in the cluster and review for wildcards

kubectl get clusterroles -o yaml

Remediation

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

Impact Statement

Default Value

Example

No example