sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-06 07:21:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ac712f4063a887a8b24f721cf681dce79f3ec54a
opendesk/docs/security/rbac-mgt/rbac-mgt-007_wildcard-verbs.yaml
Sebastian Kawelke ac712f4063 Adds further kyverno policies 
Signed-off-by: Sebastian Kawelke <sebastian.kawelke@l3montree.com>
2025-12-03 11:48:43 +01:00

41 lines
1.4 KiB
YAML
Raw Blame History

# Source: https://github.com/kyverno/policies/tree/main/pod-security
# License: Apache-2.0
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-wildcard-verbs
labels:
opendesk.eu/security-id: rbac-mgt-007
annotations:
policies.kyverno.io/title: Restrict Wildcard in Verbs
policies.kyverno.io/category: Security, EKS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Role, ClusterRole, RBAC
kyverno.io/kyverno-version: 1.6.2
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/description: >-
Wildcards ('*') in verbs grants all access to the resources referenced by it and
does not follow the principal of least privilege. As much as possible,
avoid such open verbs unless scoped to perhaps a custom API group.
This policy blocks any Role or ClusterRole that contains a wildcard entry in
the verbs list found in any rule.
spec:
validationFailureAction: Audit
background: true
rules:
- name: wildcard-verbs
match:
any:
- resources:
kinds:
- Role
- ClusterRole
validate:
message: "Use of a wildcard ('*') in any verbs is forbidden."
deny:
conditions:
any:
- key: "{{ contains(to_array(request.object.rules[].verbs[]), '*') }}"
operator: Equals
value: true
Reference in New Issue View Git Blame Copy Permalink