RBAC Wildcard In Rule
- Query id: 6b896afb-ca07-467a-b256-1a0077a1c08e
- Query name: RBAC Wildcard In Rule
- Platform: Kubernetes
- Severity: High
- Category: Access Control
- CWE: 732
- URL: Github
Description¶
Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac1
name: configmap-modifier
rules:
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["*"]
---
# Define role for OPA/kube-mgmt to update configmaps with policy status.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac2
name: configmap-modifier1
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac3
name: configmap-modifier2
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["*"]
verbs: ["POST"]
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: opa
name: configmap-modifier
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["update", "patch"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: opa
name: configmap-modifier
rules:
- apiGroups: [""]
resources: ["searchmaps"]
verbs: ["create", "patch"]