RBAC Wildcard In Rule

• Query id: 6b896afb-ca07-467a-b256-1a0077a1c08e
• Query name: RBAC Wildcard In Rule
• Platform: Kubernetes
• Severity: High
• Category: Access Control
• CWE: 732
• URL: Github

Description

Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: rbac1
  name: configmap-modifier
rules:
- apiGroups: ["*"]
  resources: ["configmaps"]
  verbs: ["*"]
---
# Define role for OPA/kube-mgmt to update configmaps with policy status.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: rbac2
  name: configmap-modifier1
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: rbac3
  name: configmap-modifier2
rules:
- operations: ["CREATE", "UPDATE"]
  apiGroups: ["*"]
  apiVersions: ["*"]
  resources: ["*"]
  verbs: ["POST"]

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: opa
  name: configmap-modifier
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["update", "patch"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: opa
  name: configmap-modifier
rules:
- apiGroups: [""]
  resources: ["searchmaps"]
  verbs: ["create", "patch"]