Minimize wildcard use in Roles and ClusterRoles

Docs > Datadog Security > OOTB Rules > Minimize wildcard use in Roles and ClusterRoles

Classification:

compliance

Framework:

cis-kubernetes

Control:

5.1.3

Set up the kubernetes integration.

Description

Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard “*” which matches all items. Use of wildcards is not optimal from a security perspective, as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.

Rationale

The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.

Audit

Retrieve the roles defined across each namespaces in the cluster and review for wildcards: kubectl get roles --all-namespaces -o yaml

Retrieve the cluster roles defined in the cluster and review for wildcards: kubectl get clusterroles -o yaml

Remediation

Where possible, replace any use of wildcards in clusterroles and roles with specific objects or actions.

Impact

None

Default value

None

References

None

CIS controls

None