C-0187 - Minimize wildcard use in Roles and ClusterRoles
cis-v1.23-t1.0.1, cis-eks-t1.2.0, cis-aks-t1.2.0
Description of the the issue
The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.
ClusterRole, ClusterRoleBinding, Role, RoleBinding
What does this control test
Check which subjects have wildcard RBAC permissions.
How to check it manually
Retrieve the roles defined across each namespaces in the cluster and review for wildcards
kubectl get roles --all-namespaces -o yaml
Retrieve the cluster roles defined in the cluster and review for wildcards
kubectl get clusterroles -o yaml
Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.
Updated 8 days ago