mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-02-14 18:09:54 +00:00
2b17c31957
* Bump lins * Code refactoring * Fixign issues * Fixing issues * Fixing issues * Fixing issues * [WIP] * [WIP] * [WIP] * Trying to fix tests * Trying to fix tests * Fixing issues * Fixing issues * Fixing issues * Fixing issues * Fixing issues * Fixing issues * Revert go mod * Revert go mod * Revert go mod * Revert go mod * Fixing issues * Fixing issue * Code refactoring * Updating json schema version * Updating json schema version
55 lines
1.7 KiB
YAML
55 lines
1.7 KiB
YAML
successMessage: The ClusterRole does not allow pods/exec or pods/attach
|
|
failureMessage: The ClusterRole allows Pods/exec or pods/attach
|
|
category: Security
|
|
target: rbac.authorization.k8s.io/ClusterRole
|
|
schemaString: |
|
|
'$schema': https://json-schema.org/draft/2019-09/schema
|
|
type: object
|
|
required: ["metadata", "rules"]
|
|
anyOf:
|
|
# Do not alert on default ClusterRoles.
|
|
- properties:
|
|
metadata:
|
|
required: ["name"]
|
|
properties:
|
|
name:
|
|
type: string
|
|
anyOf:
|
|
- const: 'admin'
|
|
- const: "cluster-admin"
|
|
- const: "edit"
|
|
- pattern: '^system:'
|
|
- const: "gce:podsecuritypolicy:calico-sa"
|
|
- properties:
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
not:
|
|
required: ["apiGroups", "resources", "verbs"]
|
|
properties:
|
|
apiGroups:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: ""
|
|
- const: '*'
|
|
resources:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: '*'
|
|
- const: "pods/exec"
|
|
- const: "pods/attach"
|
|
verbs:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: '*'
|
|
# An exec is also possible by `get`ing a web socket.
|
|
- const: 'get'
|
|
- const: 'create'
|