Profile applicability: Level 1 - Worker Node
Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects
and
actions that can be taken on those objects. It is possible to set either of these
to be the
wildcard "*" which matches all items.
Use of wildcards is not optimal from a security perspective as it may allow for inadvertent
access to be granted when new resources are added to the Kubernetes API either as
CRDs or in
later versions of the product.
The principle of least privilege recommends that users are provided only the access
required
for their role and nothing more. The use of wildcard rights grants is likely to provide
excessive
rights to the Kubernetes API.
Audit
Retrieve the roles defined across each namespaces in the cluster and review for wildcards:
kubectl get roles --all-namespaces -o yaml
Retrieve the cluster roles defined in the cluster and review for wildcards:
kubectl get clusterroles -o yaml
Remediation
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or
actions.