v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/kubernetes_compliance
Overview
4Dashboards
790Controls
781Queries
2Variables
GitHub

Control: 5.1.3 Minimize wildcard use in Roles and ClusterRoles

Description

Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items.

Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.

The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.

Remediation

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.cis_v170_5_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.cis_v170_5_1_3 --share

SQL

This control uses a named query:

role_with_wildcards_used

Tags

category = Compliance
cis = true
cis_item_id = 5.1.3
cis_level = 1
cis_section_id = 5.1
cis_type = manual
cis_version = v1.7.0
kubernetes_version = v1.25
plugin = kubernetes
service = Kubernetes/Role