KSV046 ("Manage all resources") match is too broad

[evankanderson]

Description

https://avd.aquasec.com/misconfig/kubernetes/general/avd-ksv-0046/ reports that a ClusterRole with resources = ["*"] has permission to manage all resources:

Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.

However, ClusterRole rules are required to have an apiGroups field; if the apiGroups do not contain "", then permissions are granted on some other API resource (for example, as suggested by Kubernetes user-facing roles as done here: https://github.com/knative/serving/blob/main/config/core/200-roles/clusterrole-namespaced.yaml#L15-L58

Desired Behavior

I'd expect KSV046 to only fire if the default ("") apiGroup is in the ClusterRole's rule.

Actual Behavior

The rule fires with a CRITICAL severity regardless, which makes it harder to create these roles for extension APIs that don't ship them.

Reproduction Steps

1. Create a ClusterRole like the following in a .yaml file:

   
   kind: ClusterRole
   apiVersion: rbac.authorization.k8s.io/v1
   metadata:
     name: envoy-gateway-namespaced-view
     labels:
       rbac.authorization.k8s.io/aggregate-to-view: "true"
   rules:
     - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"]
       resources: ["*"]
       verbs: ["get", "list", "watch"]
    ```
2. Run `trivy fs .`
3. Get the following error:

────────────────────────────────────────
CRITICAL: ClusterRole 'envoy-gateway-namespaced-view' shouldn't manage all resources
════════════════════════════════════════
Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.
See https://avd.aquasec.com/misconfig/ksv046
────────────────────────────────────────
eng-debug.yaml:124-126
────────────────────────────────────────
124 ┌ - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"]
125 │ resources: ["*"]
126 └ verbs: ["get", "list", "watch"]
────────────────────────────────────────

Target

Filesystem

Scanner

Misconfiguration

Output Format

Template

Mode

Standalone

Debug Output

N/A -- using the `trivy-action` on PRs.

Operating System

GitHub Actions

Version

0.55.x (because 0.56.x is broken for Terraform `data` blocks).

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

hi @evankanderson - while I agree with your reasoning, the check was written based on the CIS benchmark spec which doesn't actually make any mention of apiGroups being set or not, when scanning ClusterRole kind.

if the apiGroups do not contain "", then permissions are granted on some other API resource (for example, as suggested by Kubernetes user-facing roles as done here: https://github.com/knative/serving/blob/main/config/core/200-roles/clusterrole-namespaced.yaml#L15-L58

In the link you shared, I couldn't find anything specifically about ClusterRole kind and the mention for apiGroups. apiGroups=[""] will target core k8s api.

So I'd like to discuss this and understand it a little more.