successMessage: The RoleBinding does not reference a Role allowing Pod exec or attach failureMessage: The RoleBinding references a Role that allows Pods/exec, allows pods/attach, or that does not exist category: Security target: rbac.authorization.k8s.io/RoleBinding schemaString: | '$schema': http://json-schema.org/draft-07/schema type: object anyOf: # Pass RoleBindings that point to a ClusterRole. - required: ["roleRef"] properties: roleRef: required: ["apiGroup", "kind", "name"] properties: apiGroup: type: string const: "rbac.authorization.k8s.io" kind: type: string const: "Role" - required: ["roleRef"] properties: roleRef: required: ["apiGroup", "kind", "name"] properties: apiGroup: type: string const: "rbac.authorization.k8s.io" kind: type: string const: "Role" name: type: string minLength: 1 additionalSchemaStrings: rbac.authorization.k8s.io/Role: | type: object # This schema is validated for all roleBindings, regardless of their roleRef. {{ if eq .roleRef.kind "Role" }} required: ["metadata", "rules"] allOf: - properties: metadata: required: ["name"] properties: name: type: string const: "{{ .roleRef.name }}" - properties: rules: type: array items: type: object not: required: ["apiGroups", "resources", "verbs"] properties: apiGroups: type: array contains: type: string anyOf: - const: "" - const: '*' resources: type: array contains: type: string anyOf: - const: '*' - const: "pods/exec" - const: "pods/attach" verbs: type: array contains: type: string anyOf: - const: '*' # An exec is also possible by `get`ing a web socket. - const: 'get' - const: 'create' {{ end }}