Policy also applies to rolebinding binding cluster-admin clusterrole

Signed-off-by: Saurabh Pandit <[email protected]>
xunholy · Jun 12, 2020 · 694c5b5 · 694c5b5
1 parent d4a74d7
commit 694c5b5
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 8 deletions.
diff --git a/policies/CIS.5.1.1.rego b/policies/CIS.5.1.1.rego
@@ -8,7 +8,13 @@ violation[msg] {
     msg = kubernetes.format(sprintf("ClusterRoleBinding %v - Binding to cluster-admin role is not allowed", [clusterrolebinding.metadata.name]))
 }
 
-is_clusterrole_admin(clusterrolebinding) {
-    clusterrolebinding.roleRef.name == "cluster-admin"
-    startswith(clusterrolebinding.metadata.name, "system:") == false
+violation[msg] {
+    kubernetes.rolebindings[rolebinding]
+    is_clusterrole_admin(rolebinding)
+    msg = kubernetes.format(sprintf("RoleBinding %v - Binding to cluster-admin role is not allowed", [rolebinding.metadata.name]))
+}
+
+is_clusterrole_admin(rolebinding) {
+    rolebinding.roleRef.name == "cluster-admin"
+    startswith(rolebinding.metadata.name, "system:") == false
 }
diff --git a/policies/CIS.5.1.1_test.rego b/policies/CIS.5.1.1_test.rego
@@ -3,20 +3,32 @@ package cis_5_1_1
 import data.lib.test
 
 test_violation {
-    test.violations(violation) with input as policy_input("example:view:binding", "cluster-admin")
+    test.violations(violation) with input as policy_input("ClusterRoleBinding", "example:view:binding", "cluster-admin")
+}
+
+test_violation_2 {
+    test.violations(violation) with input as policy_input("RoleBinding", "example:view:binding", "cluster-admin")
 }
 
 test_no_violation {
-    test.no_violations(violation) with input as policy_input("system:cluster-admin", "cluster-admin")
+    test.no_violations(violation) with input as policy_input("ClusterRoleBinding", "system:cluster-admin", "cluster-admin")
 }
 
 test_no_violation_2 {
-    test.no_violations(violation) with input as policy_input("stackdriver:fluentd-gcp", "stackdriver:fluentd-gcp")
+    test.no_violations(violation) with input as policy_input("RoleBinding", "system:cluster-admin", "cluster-admin")
+}
+
+test_no_violation_3 {
+    test.no_violations(violation) with input as policy_input("ClusterRoleBinding", "stackdriver:fluentd-gcp", "stackdriver:fluentd-gcp")
+}
+
+test_no_violation_4 {
+    test.no_violations(violation) with input as policy_input("RoleBinding", "stackdriver:fluentd-gcp", "stackdriver:fluentd-gcp")
 }
 
-policy_input(name, ref) = {
+policy_input(rolebindingkind, name, ref) = {
     "apiVersion": "rbac.authorization.k8s.io/v1",
-    "kind": "ClusterRoleBinding",
+    "kind": rolebindingkind,
     "metadata": {
         "name": name
     },