mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-06 09:16:36 +00:00
742b21c6a2
* Add `clusterrolebindingClusterAdmin`, `rolebindingClusterAdminRole`, and `rolebindingClusterAdminClusterRole` checks + schema tests * Update `rolebindingClusterAdminClusterRole` check to explicitly match the `cluster-admin` default ClusterRole, fix `...all_verbs` schema test, add schema checks for unrelated permissions
83 lines
2.5 KiB
YAML
83 lines
2.5 KiB
YAML
successMessage: The RoleBinding does not reference a Role with wildcard permissions
|
|
failureMessage: The RoleBinding references a Role with wildcard permissions
|
|
category: Security
|
|
target: rbac.authorization.k8s.io/RoleBinding
|
|
schemaString: |
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
anyOf:
|
|
# Pass RoleBindings that point to a ClusterRole.
|
|
- required: ["roleRef"]
|
|
properties:
|
|
roleRef:
|
|
required: ["kind"]
|
|
properties:
|
|
kind:
|
|
type: string
|
|
const: "ClusterRole"
|
|
- required: ["roleRef"]
|
|
properties:
|
|
roleRef:
|
|
required: ["apiGroup", "kind", "name"]
|
|
properties:
|
|
apiGroup:
|
|
type: string
|
|
const: "rbac.authorization.k8s.io"
|
|
kind:
|
|
type: string
|
|
const: "Role"
|
|
name:
|
|
type: string
|
|
minLength: 1
|
|
additionalSchemaStrings:
|
|
rbac.authorization.k8s.io/Role: |
|
|
type: object
|
|
# This schema is validated for all roleBindings, regardless of their roleRef.
|
|
{{ if eq .roleRef.kind "Role" }}
|
|
required: ["metadata", "rules"]
|
|
allOf:
|
|
- properties:
|
|
metadata:
|
|
required: ["name"]
|
|
properties:
|
|
name:
|
|
type: string
|
|
const: "{{ .roleRef.name }}"
|
|
- properties:
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
not:
|
|
required: ["apiGroups", "resources", "verbs"]
|
|
properties:
|
|
apiGroups:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
const: "*"
|
|
resources:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
const: '*'
|
|
verbs:
|
|
type: array
|
|
uniqueItems: true
|
|
oneOf:
|
|
- contains:
|
|
type: string
|
|
const: '*'
|
|
- minItems: 7
|
|
items:
|
|
type: string
|
|
enum:
|
|
- "get"
|
|
- "list"
|
|
- "watch"
|
|
- "create"
|
|
- "update"
|
|
- "patch"
|
|
- "delete"
|
|
{{ end }}
|