Skip to content

Wildcard use is not minimized in Roles and ClusterRoles


In Kubernetes, roles and ClusterRoles are used to define the permissions that are granted to users, service accounts, and other entities in the cluster. Roles are namespaced and apply to a specific namespace, while ClusterRoles are cluster-wide and apply to the entire cluster.

When you define a role or ClusterRole, you can use wildcards to specify the resources and verbs that the role applies to. For example, you might specify a role that allows users to perform all actions on all resources in a namespace by using the wildcard "*" for the resources and verbs.

However, using wildcards can be a security risk because it grants broad permissions that may not be necessary for a specific role. If a role has too many permissions, it could potentially be abused by an attacker or compromised user to gain unauthorized access to resources in the cluster.

Fix - Buildtime


resource "kubernetes_cluster_role" "pass" {
  metadata {
    name = "terraform-example"

  rule {
    api_groups = [""]
    resources  = ["namespaces", "pods"]
    verbs      = ["get", "list", "watch"]