Minimize wildcard RBAC resources
Description
RBAC rules should avoid wildcard resources (*) — be explicit about which resources are granted.
⚠️ Risk Impact
Wildcard resources cover future resource types added to K8s API. New CRDs become automatically accessible — including AI/ML CRDs like InferenceService.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Replace resources:["*"] with explicit lists. Re-audit after K8s upgrades.
💀 Real-World Attack Scenario
An RBAC granted access to resources:["*"] in a namespace. When the team installed KServe, the AI workloads' InferenceService CRDs were automatically accessible to that role. A compromised pod could now access model artifacts.
💰 Cost of Non-Compliance
Over-broad RBAC: cited in 24% of K8s breaches (Aqua 2024).
📋 Audit Questions
- 1.Wildcard resources in RBAC?
- 2.Justified?
- 3.Re-audited after CRD installations?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Wildcard 'because we don't know future needs'
- ⛔No CRD-installation review
- ⛔Inherited from kubectl examples
📈 Business Value
Explicit resource lists prevent silent privilege expansion.
⏱️ Effort Estimate
20-40 hours initial audit
EchelonGraph identifies wildcard RBAC
🔗 Cross-Framework References
Automate CIS Kubernetes 5.1.3 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →