Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Avoid Wildcard Use in Roles and ClusterRoles

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that wildcard use in Kubernetes Roles and ClusterRoles is avoided. While wildcards (∗) simplify granting access to all objects or actions, they are not optimal from a security standpoint. Using wildcards risks granting inadvertent access when new resources or resources from future product versions, are added to the Kubernetes API, violating the Principle of Least Privilege (POLP).

Security

Wildcard use risks providing excessive rights to the Kubernetes API and can lead to inadvertent access when new resources or Custom Resource Definitions (CRDs) are added.

Audit

To determine if wildcards are used for Roles and ClusterRoles within your OCI Kubernetes Engine (OKE) cluster, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get roles command to get the roles defined for each namespaces in the OCI Kubernetes Engine (OKE) cluster:

    kubectl get roles --all-namespaces -o yaml

  8. The command output should return every role defined in your OKE cluster:

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
	name: cc-metadata-reader
	namespace: cc-web-prod
rules:
- apiGroups:
	- ""
	resources:
	- pods
	verbs:
	- get
	- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
	name: cc-dev-admin
	namespace: cc-canal-data
rules:
- apiGroups:
	- ""
	resources:
	- secrets
	verbs:
	- '*'
- apiGroups:
	- extensions
	resources:
	- deployments
	verbs:
	- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
	name: cc-temp-user
	namespace: cc-dev-group
rules:
- apiGroups:
	- ""
	resources:
	- '*'
	verbs:
	- get
	- list

    Inspect the roles returned in the command output and review them for wildcards. Search for the asterisk character (∗) within the verbs, resources, or apiGroups fields inside the rules section of the role definition.

  9. Run the kubectl get clusterroles command to get the cluster roles defined for each namespaces in the OCI Kubernetes Engine (OKE) cluster:

    kubectl get clusterroles -o yaml

  10. The command output should return every cluster role defined in your OKE cluster:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
	name: cc-cluster-reader
rules:
- apiGroups:
	- ""
	resources:
	- nodes
	verbs:
	- get
	- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
	name: cc-cluster-admin
rules:
- apiGroups:
	- ""
	resources:
	- '*'
	verbs:
	- get
	- list
	- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
	name: cc-cluster-writer
rules:
- apiGroups:
	- apiextensions.k8s.io
	resources:
	- customresourcedefinitions
	verbs:
	- '*'

    Inspect the cluster roles returned in the command output and review them for wildcards. Search for the asterisk character (∗) within the verbs, resources, or apiGroups fields inside the rules section of the cluster role definition.

Remediation / Resolution

To implement the Principle of Least Privilege (POLP), replace all uses of the wildcard (∗) in Roles and ClusterRoles with explicitly defined resources, verbs, and apiGroups. This will ensure that principals only possess the exact permissions necessary to perform their specific functions, thus preventing accidental or malicious privilege escalation.

References

Publication date Dec 11, 2025

Related OCI-OKE rules