Merge pull request #32 from raspbernetes/feature/#26-cis-benchmark-5-1

CIS Policy 5.1.1 - disallow clusterrole binding to cluster-admin
xunholy · Jun 12, 2020 · b3219e1 · b3219e1
2 parents eb88cd0 + 694c5b5
commit b3219e1
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 0 deletions.
diff --git a/policies/CIS.5.1.1.rego b/policies/CIS.5.1.1.rego
@@ -0,0 +1,20 @@
+package cis_5_1_1
+
+import data.lib.kubernetes
+
+violation[msg] {
+    kubernetes.clusterrolebindings[clusterrolebinding]
+    is_clusterrole_admin(clusterrolebinding)
+    msg = kubernetes.format(sprintf("ClusterRoleBinding %v - Binding to cluster-admin role is not allowed", [clusterrolebinding.metadata.name]))
+}
+
+violation[msg] {
+    kubernetes.rolebindings[rolebinding]
+    is_clusterrole_admin(rolebinding)
+    msg = kubernetes.format(sprintf("RoleBinding %v - Binding to cluster-admin role is not allowed", [rolebinding.metadata.name]))
+}
+
+is_clusterrole_admin(rolebinding) {
+    rolebinding.roleRef.name == "cluster-admin"
+    startswith(rolebinding.metadata.name, "system:") == false
+}
diff --git a/policies/CIS.5.1.1_test.rego b/policies/CIS.5.1.1_test.rego
@@ -0,0 +1,47 @@
+package cis_5_1_1
+
+import data.lib.test
+
+test_violation {
+    test.violations(violation) with input as policy_input("ClusterRoleBinding", "example:view:binding", "cluster-admin")
+}
+
+test_violation_2 {
+    test.violations(violation) with input as policy_input("RoleBinding", "example:view:binding", "cluster-admin")
+}
+
+test_no_violation {
+    test.no_violations(violation) with input as policy_input("ClusterRoleBinding", "system:cluster-admin", "cluster-admin")
+}
+
+test_no_violation_2 {
+    test.no_violations(violation) with input as policy_input("RoleBinding", "system:cluster-admin", "cluster-admin")
+}
+
+test_no_violation_3 {
+    test.no_violations(violation) with input as policy_input("ClusterRoleBinding", "stackdriver:fluentd-gcp", "stackdriver:fluentd-gcp")
+}
+
+test_no_violation_4 {
+    test.no_violations(violation) with input as policy_input("RoleBinding", "stackdriver:fluentd-gcp", "stackdriver:fluentd-gcp")
+}
+
+policy_input(rolebindingkind, name, ref) = {
+    "apiVersion": "rbac.authorization.k8s.io/v1",
+    "kind": rolebindingkind,
+    "metadata": {
+        "name": name
+    },
+    "roleRef": {
+        "apiGroup": "rbac.authorization.k8s.io",
+        "kind": "ClusterRole",
+        "name": ref
+    },
+    "subjects": [
+        {
+            "apiGroup": "rbac.authorization.k8s.io",
+            "kind": "Group",
+            "name": "system:masters"
+        }
+    ]
+}
diff --git a/policies/lib/kubernetes.rego b/policies/lib/kubernetes.rego
@@ -153,6 +153,19 @@ clusterroles[clusterrole] {
     clusterrole = object
 }
 
+is_clusterrole_binding {
+    kind = "ClusterRoleBinding"
+}
+
+is_clusterrole_binding {
+    kind = "ClusterRoleBindings"
+}
+
+clusterrolebindings[clusterrolebinding] {
+    is_clusterrole_binding
+    clusterrolebinding = object
+}
+
 pod_containers(pod) = all_containers {
 	keys = {"containers", "initContainers"}
 	all_containers = [c | keys[k]; c = pod.spec[k][_]]