iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 Kubernetes Roles and ClusterRoles can specify resources and verbs that define access permissions. Wildcards (*) in Roles or ClusterRoles grant broad permissions to all resources or verbs. This check ensures that wildcards are avoided in Roles and ClusterRoles to minimize overly permissive access and enforce the principle of least privilege by specifying only the required resources and verbs.

Rationale:
 Using wildcards in Roles and ClusterRoles can grant excessive permissions, which increases the risk of unauthorized access or accidental exposure of resources. By restricting the use of wildcards, administrators can ensure that users or service accounts are only granted the exact permissions they need, reducing the potential attack surface.

Impact:

• Pros:
  

  • Limits the exposure of sensitive resources by specifying only the required permissions.
    

  • Follows the principle of least privilege, improving security by reducing unnecessary permissions.
    

  • Reduces the risk of accidental exposure of Kubernetes resources.
    

• Cons:
  

  • Requires careful definition of roles and permissions, which may increase management overhead.
    

  • Some workloads may require broader access permissions, which could complicate RBAC configuration.
    

Default Value:
 By default, Kubernetes does not use wildcards in Roles and ClusterRoles unless explicitly configured by users. This check ensures that wildcards are only used where absolutely necessary.

Pre-requisites:
 Ensure that RBAC (Role-Based Access Control) is properly configured and that roles are defined with precise permissions to restrict access to only necessary resources and verbs.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
   

2. Review the Role-Based Access Control (RBAC) settings for Roles and ClusterRoles in the cluster.
   

3. Ensure that wildcards (*) are not used in Roles or ClusterRoles unless absolutely necessary for specific use cases.
   

Using Azure CLI:

1. Use the following command to list all Roles and ClusterRoles with wildcards in the resources or verbs fields:

kubectl get roles --all-namespaces -o=jsonpath='{.items[?(@.rules[?(@.resources=="*")])].metadata.name}'

kubectl get clusterroles -o=jsonpath='{.items[?(@.rules[?(@.resources=="*")])].metadata.name}'

2. Ensure that wildcards are not used in any Role or ClusterRole unless explicitly required for specific use cases.

3. Verify the detailed permissions of a specific Role or ClusterRole using the following command:

kubectl describe role <role-name> --namespace=<namespace-name>
kubectl describe clusterrole <clusterrole-name>

Implementation Plan:

Using Azure Console:

1. In the Azure portal, navigate to your AKS cluster and access the Role-Based Access Control (RBAC) settings.
   

2. Review all Roles and ClusterRoles for wildcards in the permissions, especially in the resources and verbs fields.

3. Apply the updated configuration to restrict the permissions for each Role or ClusterRole.
   

Using Azure CLI:

1. If a Role or ClusterRole is using a wildcard (*), update it to explicitly list the required resources and verbs. For example, instead of:

resources: ["*"]
verbs: ["*"]

2.  Use specific resources and verbs:

3. Apply the updated Role or ClusterRole with:

kubectl apply -f role-or-clusterrole.yaml

4. Ensure that RoleBindings and ClusterRoleBindings are properly updated to reflect the more restrictive permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: restricted-access-binding
  namespace: <namespace-name>
subjects:
- kind: User
  name: <user-name>
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: restricted-access
  apiGroup: rbac.authorization.k8s.io

Backout Plan:

Using Azure Console:

1. If restricting the use of wildcards causes issues with legitimate workloads, revert the changes by modifying the Role or ClusterRole to allow the wildcard (*) for resources or verbs.
   

Using Azure CLI:

1. To revert the configuration, modify the Role or ClusterRole to allow the use of wildcards and reapply it:

resources: ["*"]
verbs: ["*"]

2. Apply the reverted configuration:

 kubectl apply -f reverted-role-or-clusterrole.yaml

References:

1. Kubernetes RBAC Documentation
   

2. Azure Kubernetes Service (AKS) RBAC
   

3. Kubernetes Best Practices for RBAC