This product is not supported for your selected
Datadog site. (
).
Id: 6b896afb-ca07-467a-b256-1a0077a1c08e
Cloud Provider: k8s
Framework: Kubernetes
Severity: High
Category: Access Control
Learn More
Description
Roles and ClusterRoles with wildcard RBAC permissions grant excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends specifying only the needed objects and actions.
Compliant Code Examples
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: opa
name: configmap-modifier
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["update", "patch"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: opa
name: configmap-modifier
rules:
- apiGroups: [""]
resources: ["searchmaps"]
verbs: ["create", "patch"]
Non-Compliant Code Examples
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac1
name: configmap-modifier
rules:
- apiGroups: ["*"]
resources: ["configmaps"]
verbs: ["*"]
---
# Define role for OPA/kube-mgmt to update configmaps with policy status.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac2
name: configmap-modifier1
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rbac3
name: configmap-modifier2
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["*"]
verbs: ["POST"]
