mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-19 15:48:00 +00:00
467d06f4db
* Enable these checks in the default configuration file, which may produce many new results: * automountServiceAccountToken * linuxHardening * sensitiveConfigmapContent and sensitiveContainerEnvVar * clusterrolebindingClusterAdmin, rolebindingClusterAdminClusterRole, and rolebindingClusterAdminRole * clusterrolePodExecAttach, rolePodExecAttach, clusterrolebindingPodExecAttach, rolebindingClusterRolePodExecAttach, and rolebindingRolePodExecAttach * Ignore the `missingNetworkPolicy` and `automountServiceAccountToken` checks by default * `hasPrefix` and `hasSuffix` functions are now available in the go template * Fix the `sensitiveContainerEnvVar` check to ignore sensitive environment variable names when those variables use `valueFrom` to reference an external resource. * Add the `*ClusterAdmin` checks to `examples/config-full.yaml`. * Exempt the prefix `system:` instead of individual entries for RBAC checks (#871)
93 lines
2.9 KiB
YAML
93 lines
2.9 KiB
YAML
successMessage: The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
|
|
failureMessage: The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
|
|
category: Security
|
|
target: rbac.authorization.k8s.io/RoleBinding
|
|
schemaString: |
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
anyOf:
|
|
# Pass RoleBindings that point to a Role.
|
|
- required: ["roleRef"]
|
|
properties:
|
|
roleRef:
|
|
required: ["kind"]
|
|
properties:
|
|
kind:
|
|
type: string
|
|
const: "Role"
|
|
# Do not alert on default RoleBindings.
|
|
- required: ["metadata"]
|
|
properties:
|
|
metadata:
|
|
type: object
|
|
required: ["name"]
|
|
properties:
|
|
name:
|
|
type: string
|
|
anyOf:
|
|
- pattern: '^system:'
|
|
- const: "gce:podsecuritypolicy:calico-sa"
|
|
- required: ["roleRef"]
|
|
properties:
|
|
roleRef:
|
|
required: ["apiGroup", "kind", "name"]
|
|
properties:
|
|
apiGroup:
|
|
type: string
|
|
const: "rbac.authorization.k8s.io"
|
|
kind:
|
|
type: string
|
|
const: "ClusterRole"
|
|
name:
|
|
type: string
|
|
minLength: 1
|
|
additionalSchemaStrings:
|
|
rbac.authorization.k8s.io/ClusterRole: |
|
|
type: object
|
|
# This schema is validated for all roleBindings, regardless of their roleRef.
|
|
{{ if eq .roleRef.kind "ClusterRole" }}
|
|
{{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
|
|
required: ["metadata", "rules"]
|
|
allOf:
|
|
- properties:
|
|
metadata:
|
|
required: ["name"]
|
|
properties:
|
|
name:
|
|
type: string
|
|
const: "{{ .roleRef.name }}"
|
|
- properties:
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
not:
|
|
required: ["apiGroups", "resources", "verbs"]
|
|
properties:
|
|
apiGroups:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: ""
|
|
- const: '*'
|
|
resources:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: '*'
|
|
- const: "pods/exec"
|
|
- const: "pods/attach"
|
|
verbs:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: '*'
|
|
# An exec is also possible by `get`ing a web socket.
|
|
- const: 'get'
|
|
- const: 'create'
|
|
{{ end }}
|
|
{{ end }}
|