polaris/checks/clusterrolebindingPodExecAttach.yaml

successMessage: The ClusterRoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
failureMessage: The ClusterRoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
category: Security
target: rbac.authorization.k8s.io/ClusterRoleBinding
schemaString: |
  '$schema': http://json-schema.org/draft-07/schema
  type: object
  anyOf:
    # Do not alert on default ClusterRoleBindings.
    - required: ["metadata"]
      properties:
        metadata:
          type: object
          required: ["name"]
          properties:
            name:
              type: string
              anyOf:
                - const: "cluster-admin"
                - const: "system:controller:generic-garbage-collector"
                - const: "system:controller:namespace-controller"
    - required: ["roleRef"]
      properties:
        roleRef:
          required: ["apiGroup", "kind", "name"]
          properties:
            apiGroup:
              type: string
              const: "rbac.authorization.k8s.io"
            kind:
              type: string
              const: "ClusterRole"
            name:
              type: string
              minLength: 1
additionalSchemaStrings:
  rbac.authorization.k8s.io/ClusterRole: |
    type: object
    # Do not alert on default ClusterRoleBindings.
    {{ if and (ne .metadata.name "cluster-admin") (ne .metadata.name "system:controller:generic-garbage-collector") (ne .metadata.name "system:controller:namespace-controller") }}
    required: ["metadata", "rules"]
    allOf:
      - properties:
          metadata:
            required: ["name"]
            properties:
              name:
                type: string
                const: "{{ .roleRef.name }}"
      - properties:
          rules:
            type: array
            items:
              type: object
              not:
                required: ["apiGroups", "resources", "verbs"]
                properties:
                  apiGroups:
                    type: array
                    contains:
                      type: string
                      anyOf:
                        - const: ""
                        - const: '*'
                  resources:
                    type: array
                    contains:
                      type: string
                      anyOf:
                        - const: '*'
                        - const: "pods/exec"
                        - const: "pods/attach"
                  verbs:
                    type: array
                    contains:
                      type: string
                      anyOf:
                        - const: '*'
                        # An exec is also possible by `get`ing a web socket.
                        - const: 'get'
                        - const: 'create'
    {{ end }}