k8s-rbac-wildcards¶
Minimize wildcard use in Roles and ClusterRoles
When managing roles for service accounts in Kubernetes, it is highly recommended to make the permissions to your roles as precise as possible. You should avoid using the wildcard value ("*"
) which basically means you make this role apply all variations of either resources or verbs. It is important to keep in mind that while in a given version of Kubernetes the wildcard ("*"
) might cover all the options you actually would've specified explicitely, in a latter version of Kubernetes this list of roles might end up covering more than you indended as new features are added.
Examples¶
Insecure Example
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: basic-read
namespace: default
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
Secure Example
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: basic-read
namespace: default
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["configmaps", "deployments"]
verbs: ["list", "watch", "get"]