Restrict Wildcards in Resources

Wildcards ('*') in resources grants access to all of the resources referenced by the given API group and does not follow the principal of least privilege. As much as possible, avoid such open resources unless scoped to perhaps a custom API group. This policy blocks any Role or ClusterRole that contains a wildcard entry in the resources list found in any rule.

Policy Definition

/other/restrict-wildcard-resources/restrict-wildcard-resources.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-wildcard-resources
 5  annotations:
 6    policies.kyverno.io/title: Restrict Wildcards in Resources
 7    policies.kyverno.io/category: Security, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: ClusterRole, Role, RBAC
10    kyverno.io/kyverno-version: 1.7.0
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      Wildcards ('*') in resources grants access to all of the resources referenced by
15      the given API group and does not follow the principal of least privilege. As much as possible,
16      avoid such open resources unless scoped to perhaps a custom API group.
17      This policy blocks any Role or ClusterRole that contains a wildcard entry in
18      the resources list found in any rule.      
19spec:
20  validationFailureAction: audit
21  background: true
22  rules:
23    - name: wildcard-resources
24      match:
25        any:
26        - resources:
27            kinds:
28              - Role
29              - ClusterRole
30      validate:
31        message: "Use of a wildcard ('*') in any resources is forbidden."
32        deny:
33          conditions:
34            any:
35            - key: "{{ contains(request.object.rules[].resources[], '*') }}"
36              operator: Equals
37              value: true

Create policy issue