All Policies
Restrict Wildcards in Resources
Wildcards ('*') in resources grants access to all of the resources referenced by the given API group and does not follow the principal of least privilege. As much as possible, avoid such open resources unless scoped to perhaps a custom API group. This policy blocks any Role or ClusterRole that contains a wildcard entry in the resources list found in any rule.
Policy Definition
/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-wildcard-resources
5 annotations:
6 policies.kyverno.io/title: Restrict Wildcards in Resources
7 policies.kyverno.io/category: Security, EKS Best Practices
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: ClusterRole, Role, RBAC
10 kyverno.io/kyverno-version: 1.7.0
11 policies.kyverno.io/minversion: 1.6.0
12 kyverno.io/kubernetes-version: "1.23"
13 policies.kyverno.io/description: >-
14 Wildcards ('*') in resources grants access to all of the resources referenced by
15 the given API group and does not follow the principal of least privilege. As much as possible,
16 avoid such open resources unless scoped to perhaps a custom API group.
17 This policy blocks any Role or ClusterRole that contains a wildcard entry in
18 the resources list found in any rule.
19spec:
20 validationFailureAction: audit
21 background: true
22 rules:
23 - name: wildcard-resources
24 match:
25 any:
26 - resources:
27 kinds:
28 - Role
29 - ClusterRole
30 validate:
31 message: "Use of a wildcard ('*') in any resources is forbidden."
32 deny:
33 conditions:
34 any:
35 - key: "{{ contains(request.object.rules[].resources[], '*') }}"
36 operator: Equals
37 value: true