Profile Applicability:

  • Level 1

Description:
 Roles and ClusterRoles in Kubernetes are used to define permissions for accessing resources within a cluster. Wildcards (*) should be avoided as they provide overly broad permissions, potentially granting access to resources or actions that are not necessary. This check ensures that wildcards are minimized, and more granular permissions are set in roles and ClusterRoles.

Rationale:
 Using wildcards in Roles and ClusterRoles allows broad, unrestricted access to resources, which violates the principle of least privilege. Limiting the use of wildcards helps ensure that users and service accounts have access only to the specific resources and actions they need to perform their tasks, reducing the risk of accidental or malicious misuse.

Impact:

  • Pros:

    • Enhances security by ensuring that permissions are narrowly defined.

    • Reduces the attack surface by limiting access to only necessary resources.

  • Cons:

    • More granular roles and permissions can lead to increased administrative overhead and require careful management.

Default Value:
 By default, Kubernetes roles and ClusterRoles may use wildcards in some configurations (e.g., * for resources or verbs), but this should be avoided for security reasons.

Pre-requisites:
 Ensure that the necessary permissions are clearly defined, and that granular access controls are applied based on the least privilege principle.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Kubernetes RBAC settings and review the role and ClusterRole definitions.

  2. Ensure that wildcards are not used for verbs or resources unless absolutely necessary.

Using Azure CLI:

  1. List all roles and ClusterRoles with the following command:

     kubectl get roles --all-namespaces -o yaml
 kubectl get clusterroles -o yaml

  2. Review the roles and ClusterRoles for the use of wildcards (*) and ensure they are only used when strictly required.

Implementation Plan:

Using Azure Console:

  1. Review all role and ClusterRole configurations.

  2. Modify any roles or ClusterRoles that use wildcards to grant more specific permissions, defining resources and verbs individually instead of using *.

Using Azure CLI:

  1. Update roles or ClusterRoles by editing the configuration and removing wildcards. Example:

    kubectl edit clusterrole <clusterrole-name>

  2. Replace any wildcard * with specific resources or verbs as needed.

Backout Plan:

Using Azure Console:

  1. If restricting wildcard use causes issues with access, revert the roles or ClusterRoles to their original configuration, reintroducing the wildcard where necessary.

Using Azure CLI:

  1. Revert the changes made to the roles or ClusterRoles by editing them back to their previous configuration:

    kubectl edit clusterrole <clusterrole-name>


References:

  1. Kubernetes RBAC Documentation

  2. Kubernetes Best Practices for RBAC