Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: Minimize wildcard use in Roles and ClusterRoles

Description

Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*" which matches all items. Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.role_with_wildcards_used

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.role_with_wildcards_used --share

SQL

This control uses a named query:

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when rule ->> 'apiGroups' like '%*%'
      or rule ->> 'resources' like '%*%'
      or rule ->> 'verbs' like '%*%' then 'alarm'
    else 'ok'
  end as status,
  case
    when rule ->> 'apiGroups' like '%*%' then name || ' api groups use wildcards.'
    when rule ->> 'resources' like '%*%' then name || ' resources use wildcards.'
    when rule ->> 'verbs' like '%*%' then name || ' actions use wildcards.'
    else name || ' uses no wildcard.'
  end as reason,
  name as role_name
  
  , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_cluster_role,
  jsonb_array_elements(rules) rule
where
  name not like '%system%'
group by
  uid,
  status,
  reason,
  role_name,
  path,
  start_line,
  end_line,
  source_type,
  context_name,
  tags,
  _ctx;

Tags

category = Compliance
cis = true
plugin = kubernetes
service = Kubernetes/Role