github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-02-14 18:09:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2b17c3195752c8fa33ec61ac4d1bcb9c9622cda6
polaris/pkg/config/checks/rolebindingClusterAdminClusterRole.yaml
jdesouza 2b17c31957 INS-1251: Polaris: upgrade github.com/qri-io/jsonschema to v0.2.1 (#1135) 
* Bump lins

* Code refactoring

* Fixign issues

* Fixing issues

* Fixing issues

* Fixing issues

* [WIP]

* [WIP]

* [WIP]

* Trying to fix tests

* Trying to fix tests

* Fixing issues

* Fixing issues

* Fixing issues

* Fixing issues

* Fixing issues

* Fixing issues

* Revert go mod

* Revert go mod

* Revert go mod

* Revert go mod

* Fixing issues

* Fixing issue

* Code refactoring

* Updating json schema version

* Updating json schema version
2025-07-24 13:46:37 -03:00

99 lines
3.1 KiB
YAML
Raw Blame History

successMessage: The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
failureMessage: The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
category: Security
target: rbac.authorization.k8s.io/RoleBinding
schemaString: |
'$schema': https://json-schema.org/draft/2019-09/schema
type: object
anyOf:
# Pass RoleBindings that point to a Role.
- required: ["roleRef"]
properties:
roleRef:
required: ["kind"]
properties:
kind:
type: string
const: "Role"
# Do not alert on default ClusterRoleBindings.
- required: ["metadata"]
properties:
metadata:
type: object
required: ["name"]
properties:
name:
type: string
anyOf:
- pattern: '^system:'
- const: "gce:podsecuritypolicy:calico-sa"
- required: ["roleRef"]
properties:
roleRef:
required: ["apiGroup", "kind", "name"]
properties:
apiGroup:
type: string
const: "rbac.authorization.k8s.io"
kind:
type: string
const: "ClusterRole"
name:
type: string
minLength: 1
not:
const: "cluster-admin"
additionalSchemaStrings:
rbac.authorization.k8s.io/ClusterRole: |
{{ if eq .roleRef.kind "ClusterRole" }}
{{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
# This schema is validated for all roleBindings, regardless of their roleRef.
type: object
required: ["metadata", "rules"]
allOf:
- properties:
metadata:
required: ["name"]
properties:
name:
type: string
const: "{{ .roleRef.name }}"
- properties:
rules:
type: array
items:
type: object
not:
required: ["apiGroups", "resources", "verbs"]
properties:
apiGroups:
type: array
contains:
type: string
const: "*"
resources:
type: array
contains:
type: string
const: '*'
verbs:
type: array
uniqueItems: true
oneOf:
- contains:
type: string
const: '*'
- minItems: 7
items:
type: string
enum:
- "get"
- "list"
- "watch"
- "create"
- "update"
- "patch"
- "delete"
{{ end }}
{{ end }}
Reference in New Issue View Git Blame Copy Permalink