Giters

FairwindsOps / polaris

Validation of best practices in your Kubernetes clusters

Home Page:https://www.fairwinds.com/polaris

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Issues with rolebindingClusterAdminClusterRole and rolebindingClusterRolePodExecAttach

JoseAlvarezSonos opened this issue Β· comments

commented

What happened?

I'm seeing some issues with the rolebindingClusterAdminClusterRole and rolebindingClusterRolePodExecAttach checks. I have IMO a simple ServiceAccount with a simple Role and RoleBinding, but Polaris throws an error with the aforementioned checks and I don't fully understand how to fix them nor if they are an issue. It seems more like an bug of Polaris.

Trying to check deeper I found this link https://polaris.docs.fairwinds.com/checks/security/, where it states:

  • rolebindingRolePodExecAttach - Fails when the RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist.
  • rolebindingClusterAdminClusterRole - Fails when the RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions.

And to my eyes, none of them apply to my conf, this is a simplified version but it triggers the issue:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: some-api
  namespace: dev
  labels:
    role: service
    tier: backend
imagePullSecrets:
  - name: regcred
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: some-api
  namespace: some-ns
rules:
  - apiGroups: [""]
    resources: [services]
    verbs: [get, list]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: some-api
  namespace: some-ns
roleRef:
  kind: Role
  name: some-api
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: some-api
    namespace: dev

What did you expect to happen?

To show success for my configuration.

How can we reproduce this?

Put the configuration I shared in a test.yaml file and run: polaris audit --audit-path test.yaml --format=pretty

Version

8.5.1

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response

commented

Interestingly, this is not reproducible in-cluster, but I can reproduce it for YAML checks.

in-cluster test

kind create cluster
kubectl create ns some-ns
kubectl create ns dev
kubectl apply -f /tmp/test.yaml # copied yaml from issue
polaris audit --checks rolebindingRolePodExecAttach --format pretty             
# Output has zero failed checks
commented

We've created an internal dev issue to track this. Thanks!

commented

Hello, any news on this issue by any chance? πŸ™

commented

We're reviewing a proposed PR fix for this, should cover your example:

go run main.go audit --audit-path test-iac.yaml --format=pretty

Polaris audited Path test-iac.yaml at 2024-01-03T13:04:44-06:00
    Nodes: 0 | Namespaces: 0 | Controllers: 0
    Final score: 100

RoleBinding some-api in namespace some-ns
    rolebindingClusterRolePodExecAttach  πŸŽ‰ Success
        Security - The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
    rolebindingRolePodExecAttach         πŸŽ‰ Success
        Security - The RoleBinding does not reference a Role allowing Pod exec or attach
    rolebindingClusterAdminClusterRole   πŸŽ‰ Success
        Security - The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
    rolebindingClusterAdminRole          πŸŽ‰ Success
        Security - The RoleBinding does not reference a Role with wildcard permissions

ServiceAccount some-api in namespace dev

Role some-api in namespace some-ns
    rolePodExecAttach                    πŸŽ‰ Success
        Security - The Role does not allow pods/exec or pods/attach