Skip to main content

KA-A001: Wildcard permissions in Role/ClusterRole

Error Security

CIS Kubernetes Benchmark v1.8, Section 5.1.3: Minimize wildcard use in Roles and ClusterRoles

Why This Matters

Using wildcard (*) in apiGroups, resources, or verbs grants overly broad access. CIS Kubernetes Benchmark 5.1.3 recommends minimizing wildcard use in Roles and ClusterRoles. Wildcards bypass the principle of least privilege and can expose the cluster to privilege escalation.

How to Fix

Replace wildcards with specific API groups, resources, and verbs

Before (incorrect)

rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

After (correct)

rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

Rule Details

Rule Code
KA-A001
Severity
Error
Category
Security

Related Rules

KA-C001 Error

Container runs as privileged
KA-C002 Error

Privilege escalation allowed
KA-C005 Error

Running with UID 0 (root)
KA-C006 Error

Host PID namespace shared
KA-C007 Error

Host IPC namespace shared