Create restrict-wildcard-apigroups

rbac-best-practices/restrict-wildcard-apigroups

@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-wildcard-apigroups
+  annotations:
+    policies.kyverno.io/title: Restrict Wildcards in apiGroups
+    policies.kyverno.io/category: Security, EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ClusterRole, Role, RBAC
+    kyverno.io/kyverno-version: 1.7.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/description: >-
+      Wildcards ('*') in apiGroups grants access to all of the apiGroups referenced and does not follow the principal of least privilege. As much as possible,
+      avoid such open resources unless scoped to perhaps a custom API group.
+      This policy blocks any Role or ClusterRole that contains a wildcard entry in the apiGroups list found in any rule.      
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+    - name: wildcard-apigroups
+      match:
+        any:
+        - resources:
+            kinds:
+              - Role
+              - ClusterRole
+      validate:
+        message: "Use of a wildcard ('*') in any apiGroups is forbidden."
+        deny:
+          conditions:
+            any:
+            - key: "{{ contains(request.object.rules[].apiGroups[], '*') }}"
+              operator: Equals
+              value: true