mirror of
https://github.com/FairwindsOps/polaris.git
synced 2026-05-11 03:37:42 +00:00
01d7a8ac00
* Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks * Add schema tests * Add clusterrolebindingPodExecAttach, rolebindingRolePodExecAttach, and rolebindingClusterRolePodExecAttach checks + schema-tests * Add the new checks to the full example config * Update checks' success/failure messages and add some helpful comments * Update binding-related check messaging RE: roleRef pointing to a nonexistent resource, and add tests for this case * Update rolebindingClusterRolePodExecAttach and rolebindingRolePodExecAttach to pass if a binding roleRef is a different kind, and schema tests to include a namespace * Add additional schema tests, remove "ignore default ClusterRole|Role bindings" code from checks that actually have no default bindings
56 lines
1.8 KiB
YAML
56 lines
1.8 KiB
YAML
successMessage: The ClusterRole does not allow pods/exec or pods/attach
|
|
failureMessage: The ClusterRole allows Pods/exec or pods/attach
|
|
category: Security
|
|
target: rbac.authorization.k8s.io/ClusterRole
|
|
schemaString: |
|
|
'$schema': http://json-schema.org/draft-07/schema
|
|
type: object
|
|
required: ["metadata", "rules"]
|
|
anyOf:
|
|
# Do not alert on default ClusterRoles.
|
|
- properties:
|
|
metadata:
|
|
required: ["name"]
|
|
properties:
|
|
name:
|
|
type: string
|
|
anyOf:
|
|
- const: 'admin'
|
|
- const: "cluster-admin"
|
|
- const: "edit"
|
|
- const: "system:aggregate-to-edit"
|
|
- const: "system:controller:generic-garbage-collector"
|
|
- const: "system:controller:namespace-controller"
|
|
- properties:
|
|
rules:
|
|
type: array
|
|
items:
|
|
type: object
|
|
not:
|
|
required: ["apiGroups", "resources", "verbs"]
|
|
properties:
|
|
apiGroups:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: ""
|
|
- const: '*'
|
|
resources:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: '*'
|
|
- const: "pods/exec"
|
|
- const: "pods/attach"
|
|
verbs:
|
|
type: array
|
|
contains:
|
|
type: string
|
|
anyOf:
|
|
- const: '*'
|
|
# An exec is also possible by `get`ing a web socket.
|
|
- const: 'get'
|
|
- const: 'create'
|