rolebinding checks failing
gerodriguez-fan opened this issue · comments
What happened?
With the following sample config:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: observability
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: observability
subjects:
- kind: User
name: jane
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
Polaris throws the following errors.
RoleBinding read-pods in namespace observability
rolebindingClusterAdminClusterRole ❌ Danger
Security - The RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions
rolebindingClusterRolePodExecAttach ❌ Danger
Security - The RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist
What did you expect to happen?
Checks should have passed as this are common rolebinding examples, also the reference to clusterRoles is misleading, as this are regular roles.
How can we reproduce this?
Create a file with the sample rolebindings and run polaris audit
Version
8.5.3
Search
- I did search for other open and closed issues before opening this.
Code of Conduct
- I agree to follow this project's Code of Conduct
Additional context
No response