Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix k8s rbac filter #2765

Merged
merged 1 commit into from Aug 23, 2022
Merged

fix: fix k8s rbac filter #2765

merged 1 commit into from Aug 23, 2022

Conversation

josedonizetti
Copy link
Contributor

Signed-off-by: Jose Donizetti jdbjunior@gmail.com

Description

trivy k8s --security-checks=rbac --report=summary cluster
178 / 178 [--------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 4 p/s

Summary Report for minikube
┌──────────────┬─────────────────────────────────────────────────────────────────┬───────────────────┐
│  Namespace   │                            Resource                             │  RBAC Assessment  │
│              │                                                                 ├───┬───┬───┬───┬───┤
│              │                                                                 │ C │ H │ M │ L │ U │
├──────────────┼─────────────────────────────────────────────────────────────────┼───┼───┼───┼───┼───┤
│ trivy-system │ Role/trivy-operator                                             │   │   │ 1 │   │   │
│ kube-system  │ Role/system::leader-locking-kube-controller-manager             │   │   │ 1 │   │   │
│ kube-system  │ Role/system::leader-locking-kube-scheduler                      │   │   │ 1 │   │   │
│ kube-system  │ Role/system:controller:bootstrap-signer                         │ 1 │   │   │   │   │
│ kube-system  │ Role/system:controller:token-cleaner                            │ 1 │   │   │   │   │
│ kube-system  │ Role/system:persistent-volume-provisioner                       │   │ 2 │   │   │   │
│ kube-system  │ Role/system:controller:cloud-provider                           │   │   │ 1 │   │   │
│ kube-public  │ Role/system:controller:bootstrap-signer                         │   │   │ 1 │   │   │
│              │ ClusterRole/system:controller:endpointslicemirroring-controller │   │ 1 │   │   │   │
│              │ ClusterRole/system:controller:resourcequota-controller          │ 1 │   │   │   │   │
│              │ ClusterRole/system:kube-controller-manager                      │ 5 │ 2 │   │   │   │
│              │ ClusterRole/system:controller:horizontal-pod-autoscaler         │ 2 │   │   │   │   │
│              │ ClusterRole/system:controller:replication-controller            │   │ 1 │   │   │   │
│              │ ClusterRole/system:aggregate-to-admin                           │ 1 │   │   │   │   │
│              │ ClusterRole/system:controller:job-controller                    │   │ 1 │   │   │   │
│              │ ClusterRole/system:controller:root-ca-cert-publisher            │   │   │ 1 │   │   │
│              │ ClusterRole/edit                                                │ 2 │ 7 │ 1 │   │   │
│              │ ClusterRole/system:node                                         │ 1 │   │   │   │   │
│              │ ClusterRole/system:controller:persistent-volume-binder          │ 1 │ 2 │   │   │   │
│              │ ClusterRole/system:controller:generic-garbage-collector         │ 1 │   │   │   │   │
│              │ ClusterRole/system:controller:expand-controller                 │ 1 │   │   │   │   │
│              │ ClusterRole/admin                                               │ 3 │ 7 │ 1 │   │   │
│              │ ClusterRole/system:controller:endpoint-controller               │   │ 1 │   │   │   │
│              │ ClusterRole/system:controller:replicaset-controller             │   │ 1 │   │   │   │
│              │ ClusterRole/system:controller:endpointslice-controller          │   │ 1 │   │   │   │
│              │ ClusterRole/system:controller:cronjob-controller                │   │ 2 │   │   │   │
│              │ ClusterRole/system:kube-scheduler                               │   │ 2 │   │   │   │
│              │ ClusterRole/cluster-admin                                       │ 2 │   │   │   │   │
│              │ ClusterRole/system:aggregate-to-edit                            │ 2 │ 7 │ 1 │   │   │
│              │ ClusterRole/trivy-operator                                      │ 1 │ 1 │   │   │   │
│              │ ClusterRole/system:controller:deployment-controller             │   │ 2 │   │   │   │
│              │ ClusterRole/system:controller:namespace-controller              │ 1 │   │   │   │   │
└──────────────┴─────────────────────────────────────────────────────────────────┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

Related issues

Remove this section if you don't have related PRs.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@josedonizetti
fix: fix k8s rbac filter
54c8eae 
Signed-off-by: Jose Donizetti <jdbjunior@gmail.com>
@josedonizetti josedonizetti self-assigned this Aug 22, 2022
@knqyf263 knqyf263 merged commit 2f2952c into aquasecurity:main Aug 23, 2022
@josedonizetti josedonizetti deleted the fix-k8s-rbac-filter branch August 23, 2022 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@chen-keinan chen-keinan Awaiting requested review from chen-keinan

Assignees

@josedonizetti josedonizetti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

trivy k8s rbac filter not working
2 participants
@josedonizetti @knqyf263