Minimize wildcard RBAC verbs
Description
RBAC ClusterRoles + Roles should avoid wildcard verbs (*).
⚠️ Risk Impact
Wildcard verbs grant every action including delete, create, exec. Compromised workload = total namespace/cluster control.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Audit RBAC for verbs:["*"] or resources:["*"]. Replace with explicit lists. kubectl auth can-i --list to verify.
💀 Real-World Attack Scenario
A CI/CD service account had verbs:["*"] on Pod resources 'for flexibility'. When the CI/CD was compromised via dependency confusion, attacker had unlimited Pod control: exec into running pods, exfiltrate secrets, deploy malicious sidecars.
💰 Cost of Non-Compliance
Over-privileged K8s RBAC: avg breach scope 3-4× larger.
📋 Audit Questions
- 1.Wildcard verbs in any RBAC?
- 2.Wildcard resources?
- 3.Last RBAC audit?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Wildcards 'temporarily' that persist
- ⛔Multiple groups with wildcards
- ⛔No detection on RBAC changes
📈 Business Value
Least-privilege RBAC limits K8s breach blast radius.
⏱️ Effort Estimate
20-40 hours initial audit + remediation
EchelonGraph audits K8s RBAC continuously
🔗 Cross-Framework References
Automate CIS Kubernetes 5.1.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →