All Policies

Restrict Wildcard in Verbs

Wildcards ('*') in verbs grants all access to the resources referenced by it and does not follow the principal of least privilege. As much as possible, avoid such open verbs unless scoped to perhaps a custom API group. This policy blocks any Role or ClusterRole that contains a wildcard entry in the verbs list found in any rule.

Policy Definition

/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-wildcard-verbs
 5  annotations:
 6    policies.kyverno.io/title: Restrict Wildcard in Verbs
 7    policies.kyverno.io/category: Security, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Role, ClusterRole, RBAC
10    kyverno.io/kyverno-version: 1.6.2
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      Wildcards ('*') in verbs grants all access to the resources referenced by it and
15      does not follow the principal of least privilege. As much as possible,
16      avoid such open verbs unless scoped to perhaps a custom API group.
17      This policy blocks any Role or ClusterRole that contains a wildcard entry in
18      the verbs list found in any rule.      
19spec:
20  validationFailureAction: audit
21  background: true
22  rules:
23    - name: wildcard-verbs
24      match:
25        any:
26        - resources:
27            kinds:
28              - Role
29              - ClusterRole
30      validate:
31        message: "Use of a wildcard ('*') in any verbs is forbidden."
32        deny:
33          conditions:
34            any:
35            - key: "{{ contains(request.object.rules[].verbs[], '*') }}"
36              operator: Equals
37              value: true
Create policy issue