mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-22 09:03:40 +00:00
01d7a8ac00
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks * Add schema tests * Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests * Add the new checks to the full example config * Update checks' success/failure messages and add some helpful comments * Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case * Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace * Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
25 lines
478 B
YAML
25 lines
478 B
YAML
# This fails because the Role allows pods/exec.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: test
|
|
namespace: test
|
|
rules:
|
|
- apiGroups: [ "" ]
|
|
resources: [ "pods/exec" ]
|
|
verbs: [ create ]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: test
|
|
namespace: test
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: test
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: testuser
|