lacework-global-333
This rule also encompasses lacework-global-663. See Adjusted Rules for CIS Amazon EKS 1.1.0 for further details.
4.1.3 Minimize wildcard use in ClusterRoles (Automated)
This rule has been changed to automated, see Automated Policies for CIS Amazon EKS 1.1.0 for details.
Profile Applicability
• Level 1
Description
Kubernetes ClusterRoles provide access to resources based on sets of objects and actions that you can take on those objects.
It is possible to set either of these to be the wildcard "*" which matches all items.
Use of wildcards is not optimal from a security perspective as it may grant inadvertent access when adding new resources to the Kubernetes API either as CRDs or in later versions of the product.
Rationale
The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.
Audit
Retrieve the roles defined across each namespaces in the cluster and review for wildcards
kubectl get roles --all-namespaces -o yaml
Retrieve the cluster roles defined in the cluster and review for wildcards
kubectl get clusterroles -o yaml
Remediation
Where possible replace any use of wildcards in clusterroles with specific objects or actions.
References
https://kubernetes.io/docs/reference/access-authn-authz/rbac/