Value Statement
By prohibiting the use of wildcards in RBAC permissions, we enhance security by enforcing precise access control and reducing the risk of unauthorized access to resources.
Targeted Files (TBD):
- [ ]
Definition of Done for Engineering Story Owner (Checklist)
- [ ] Wildcards are removed from RBAC permissions in various YAML files.
- [ ] RBAC configurations are validated to ensure precise access control.
Noncompliant code example
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: example-role rules: - apiGroups: [""] resources: ["*"] # Noncompliant verbs: ["get", "list"]
Compliant solution
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: example-role rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"]
Development Complete
- The code is complete.
- Functionality is working.
- Any required downstream Docker file changes are made.
Tests Automated
- [ ] Unit/function tests have been automated and incorporated into the
build. - [ ] 100% automated unit/function test coverage for new or changed APIs.
Secure Design
- [ ] Security has been assessed and incorporated into your threat model.
Multidisciplinary Teams Readiness
- [ ] Create an informative documentation issue using the [Customer
Portal_doc_issue template](
https://github.com/stolostron/backlog/issues/new?assignees=&labels=squad%3Adoc&template=doc_issue.md&title=),
and ensure doc acceptance criteria is met. Link the development issue to
the doc issue. - [ ] Provide input to the QE team, and ensure QE acceptance criteria
(established between story owner and QE focal) are met.
Support Readiness
- [ ] The must-gather script has been updated.
- clones
-
ACM-10001 MCH: Prohibit the use of wildcards when defining RBAC permissions in various YAML files to enforce precise access control
- To Do