檢視次數:
設定檔適用性:等級 1
Kubernetes 角色和叢集角色根據一組物件和可對這些物件執行的操作來提供資源存取權。可以將其中任何一個設置為萬用字元 "*",以匹配所有項目。
從安全角度來看,使用萬用字元並不理想,因為當新資源以 CRD 或產品的後續版本形式新增到 Kubernetes API 時,可能會導致意外授予存取權限。
最小權限原則建議只提供使用者其角色所需的存取權限,不多也不少。使用萬用字元權限授予可能會對 Kubernetes API 提供過多的權限。

稽核

檢索叢集中每個命名空間中定義的角色,並檢查是否有萬用字元。
這是一個空安全、列格式的命令,只顯示在動詞、資源或 apiGroups 中任何地方使用通配符 (*) 的角色和集群角色,並告訴您哪些欄位使用了通配符:
kubectl get clusterrole,role -A -o json | jq -r ' def has_star(a): (a // []) | any(. == "*");

.items[] | . as $r |
( any($r.rules[]?; has_star(.verbs)) ) as $wv |
( any($r.rules[]?; has_star(.resources)) ) as $wr |
( any($r.rules[]?; has_star(.apiGroups)) ) as $wg |
select($wv or $wr or $wg) |
[ $r.kind, $r.metadata.name,
  ($r.metadata.namespace // "cluster-wide"),
  ([ if $wv then "verbs" else empty end,
     if $wr then "resources" else empty end,
     if $wg then "apiGroups" else empty end
  ] | join(","))
] | @tsv
' | awk -F'\t' '{printf "%-15s %-40s %-20s %-20s\n", $1, $2, $3, $4}'
命令的範例輸出:
KIND                    NAME                                         NAMESPACE
WILDCARD_IN
--------------- ---------------------------------------- --------------------
--------------------
ClusterRole                  cluster-admin                                   cluster-wide
verbs,resources,apiGroups
ClusterRole                  external-metrics-reader                         cluster-wide
resources
ClusterRole                  kubelet-api-admin                               cluster-wide
verbs
ClusterRole                  system:cloud-controller-manager                 cluster-wide
resources,apiGroups
ClusterRole                  system:controller:disruption-controller         cluster-wide
apiGroups
ClusterRole                  system:controller:generic-garbage-collector     cluster-wide
resources,apiGroups
ClusterRole                  system:controller:horizontal-pod-autoscaler     cluster-wide
resources,apiGroups
ClusterRole                  system:controller:namespace-controller          cluster-wide
resources,apiGroups
ClusterRole                  system:controller:resourcequota-controller      cluster-wide
resources,apiGroups
ClusterRole                  system:gcp-controller-manager                   cluster-wide
verbs
ClusterRole                  system:gke-common-webhooks                      cluster-wide
verbs,resources,apiGroups
ClusterRole                  system:gke-hpa-actor                            cluster-wide
resources,apiGroups
ClusterRole                  system:glbc-status                              cluster-wide
verbs
ClusterRole                  system:kube-controller-manager                  cluster-wide
resources,apiGroups
ClusterRole                  system:kubelet-api-admin                        cluster-wide
verbs
ClusterRole                  system:kubestore-collector                      cluster-wide
verbs,resources,apiGroups
ClusterRole                  system:managed-certificate-controller           cluster-wide
verbs
ClusterRole                  system:metrics-server-nanny                     cluster-wide
verbs
Role                         gke-spiffe-leaderelection                       kube-system
verbs

補救

在可能的情況下,將 clusterroles 和 roles 中使用的萬用字元替換為特定的物件或操作。