Excessive wildcard permissions

ID

rbac_wildcard_rules

Severity

low

Vendor

Kubernetes

Resource

General Security

Tags

reachable

Description

Kubernetes RBAC is a key security control to ensure that cluster users and workloads have only the access to resources required to execute their roles. It is important to ensure that, when designing permissions for cluster users, the cluster administrator understands the areas where privilege escalation could occur, to reduce the risk of excessive access leading to security incidents.

Providing wildcard access gives rights not just to all object types that currently exist in the cluster, but also to all object types which are created in the future.

Avoid providing wildcard permissions when possible, especially to all resources.

Learn more about this topic at Role Based Access Control Good Practices.

Examples

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: weak
  namespace: api
rules:
  - apiGroups: ["rrhh-*"] (1)
    resources: ["*-pods"] (1)
    verbs: ["*"] (1)
1 Avoid using wildcard as it might end up covering more than you intended in a latter version of kubernetes or new resources.

Mitigation / Fix

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: weak
  namespace: api
rules:
  - apiGroups: ["rrhh-user, rrhh-ghest"] (1)
    resources: ["std-pods"] (1)
    verbs: ["get"] (1)
1 It is highly recommended to make the permissions to your roles as precise as possible.