Views:
Profile applicability: Level 1
Kubernetes Roles and ClusterRoles provide access to resources based on sets of objects and actions that can be taken on those objects. It is possible to set either of these to be the wildcard "*", which matches all items.
Use of wildcards is not optimal from a security perspective as it may allow for inadvertent access to be granted when new resources are added to the Kubernetes API either as CRDs or in later versions of the product.
The principle of least privilege recommends that users are provided only the access required for their role and nothing more. The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.

Audit

Retrieve the roles defined across each namespaces in the cluster and review for wildcards.
Here’s a null-safe, column-formatted command that shows only Roles and ClusterRoles that use a wildcard (*) anywhere in verbs, resources, or apiGroups—and tells you which field(s) use the wildcard:
kubectl get clusterrole,role -A -o json | jq -r ' def has_star(a): (a // []) | any(. == "*");

.items[] | . as $r |
( any($r.rules[]?; has_star(.verbs)) ) as $wv |
( any($r.rules[]?; has_star(.resources)) ) as $wr |
( any($r.rules[]?; has_star(.apiGroups)) ) as $wg |
select($wv or $wr or $wg) |
[ $r.kind, $r.metadata.name,
  ($r.metadata.namespace // "cluster-wide"),
  ([ if $wv then "verbs" else empty end,
     if $wr then "resources" else empty end,
     if $wg then "apiGroups" else empty end
  ] | join(","))
] | @tsv
' | awk -F'\t' '{printf "%-15s %-40s %-20s %-20s\n", $1, $2, $3, $4}'
Sample Output from command:
KIND                    NAME                                         NAMESPACE
WILDCARD_IN
--------------- ---------------------------------------- --------------------
--------------------
ClusterRole                  cluster-admin                                   cluster-wide
verbs,resources,apiGroups
ClusterRole                  external-metrics-reader                         cluster-wide
resources
ClusterRole                  kubelet-api-admin                               cluster-wide
verbs
ClusterRole                  system:cloud-controller-manager                 cluster-wide
resources,apiGroups
ClusterRole                  system:controller:disruption-controller         cluster-wide
apiGroups
ClusterRole                  system:controller:generic-garbage-collector     cluster-wide
resources,apiGroups
ClusterRole                  system:controller:horizontal-pod-autoscaler     cluster-wide
resources,apiGroups
ClusterRole                  system:controller:namespace-controller          cluster-wide
resources,apiGroups
ClusterRole                  system:controller:resourcequota-controller      cluster-wide
resources,apiGroups
ClusterRole                  system:gcp-controller-manager                   cluster-wide
verbs
ClusterRole                  system:gke-common-webhooks                      cluster-wide
verbs,resources,apiGroups
ClusterRole                  system:gke-hpa-actor                            cluster-wide
resources,apiGroups
ClusterRole                  system:glbc-status                              cluster-wide
verbs
ClusterRole                  system:kube-controller-manager                  cluster-wide
resources,apiGroups
ClusterRole                  system:kubelet-api-admin                        cluster-wide
verbs
ClusterRole                  system:kubestore-collector                      cluster-wide
verbs,resources,apiGroups
ClusterRole                  system:managed-certificate-controller           cluster-wide
verbs
ClusterRole                  system:metrics-server-nanny                     cluster-wide
verbs
Role                         gke-spiffe-leaderelection                       kube-system
verbs

Remediation

Where possible replace any use of wildcards in clusterroles and roles with specific objects or actions.