From 8b49e80961b007d4b7cc198e6eaa7ac4c6a35934 Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Sun, 3 Mar 2024 13:40:08 +0200 Subject: [PATCH] add control C-0272 Signed-off-by: YiscahLevySilas1 --- ...-0272-workloadwithadministrativeroles.json | 22 +++ .../filter.rego | 32 +++++ .../raw.rego | 129 ++++++++++++++++++ .../rule.metadata.json | 63 +++++++++ .../test/fail-wl-creates-pod/expected.json | 110 +++++++++++++++ .../input/clusterrole.yaml | 8 ++ .../input/clusterrolebinding.yaml | 15 ++ .../test/fail-wl-creates-pod/input/file.yaml | 17 +++ .../test/fail-wl-creates-pod/input/sa.json | 17 +++ .../pass-wl-limited-permissions/expected.json | 1 + .../input/clusterrole.yaml | 11 ++ .../input/clusterrolebinding.yaml | 15 ++ .../input/file.yaml | 17 +++ .../pass-wl-limited-permissions/input/sa.json | 17 +++ .../pass-wl-not-mount-sa-token/expected.json | 1 + .../input/clusterrole.yaml | 8 ++ .../input/clusterrolebinding.yaml | 15 ++ .../input/file.yaml | 17 +++ .../pass-wl-not-mount-sa-token/input/sa.json | 17 +++ .../test/pass-wl-rolebinding/expected.json | 1 + .../pass-wl-rolebinding/input/cluterrole.yaml | 8 ++ .../test/pass-wl-rolebinding/input/file.yaml | 17 +++ .../input/rolebinding.yaml | 13 ++ .../test/pass-wl-rolebinding/input/sa.json | 17 +++ 24 files changed, 588 insertions(+) create mode 100644 controls/C-0272-workloadwithadministrativeroles.json create mode 100644 rules/workload-with-administrative-roles/filter.rego create mode 100644 rules/workload-with-administrative-roles/raw.rego create mode 100644 rules/workload-with-administrative-roles/rule.metadata.json create mode 100644 rules/workload-with-administrative-roles/test/fail-wl-creates-pod/expected.json create mode 100644 rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrole.yaml create mode 100644 rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml create mode 100644 rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/file.yaml create mode 100644 rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/sa.json create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/file.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/sa.json create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/file.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/sa.json create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/cluterrole.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/file.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/rolebinding.yaml create mode 100644 rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/sa.json diff --git a/controls/C-0272-workloadwithadministrativeroles.json b/controls/C-0272-workloadwithadministrativeroles.json new file mode 100644 index 000000000..3d59e4f04 --- /dev/null +++ b/controls/C-0272-workloadwithadministrativeroles.json @@ -0,0 +1,22 @@ +{ + "name": "Workload with administrative roles", + "attributes": {}, + "description": "This control identifies workloads where the associated service accounts have roles that grant administrative-level access across the cluster. Granting a workload such expansive permissions equates to providing it cluster admin roles. This level of access can pose a significant security risk, as it allows the workload to perform any action on any resource, potentially leading to unauthorized data access or cluster modifications.", + "remediation": "You should apply least privilege principle. Make sure cluster admin permissions are granted only when it is absolutely necessary. Don't use service accounts with such high permissions for daily operations.", + "rulesNames": [ + "workload-with-administrative-roles" + ], + "long_description": "In Kubernetes environments, workloads granted administrative-level privileges without restrictions represent a critical security vulnerability. When a service account associated with a workload is configured with permissions to perform any action on any resource, it essentially holds unrestricted access within the cluster, akin to cluster admin privileges. This configuration dramatically increases the risk of security breaches, including data theft, unauthorized modifications, and potentially full cluster takeovers. Such privileges allow attackers to exploit the workload for wide-ranging malicious activities, bypassing the principle of least privilege. Therefore, it's essential to follow the least privilege principle and make sure cluster admin permissions are granted only when it is absolutely necessary.", + "test": "Check if the service account used by a workload has cluster admin roles, either by being bound to the cluster-admin clusterrole, or by having equivalent high privileges.", + "controlID": "C-0272", + "baseScore": 6.0, + "category": { + "name" : "Workload" + }, + "scanningScope": { + "matches": [ + "cluster", + "file" + ] + } +} diff --git a/rules/workload-with-administrative-roles/filter.rego b/rules/workload-with-administrative-roles/filter.rego new file mode 100644 index 000000000..a0037a65d --- /dev/null +++ b/rules/workload-with-administrative-roles/filter.rego @@ -0,0 +1,32 @@ +package armo_builtins + +deny[msga] { + wl := input[_] + start_of_path := get_beginning_of_path(wl) + + msga := { + "alertMessage": sprintf("%v: %v in the following namespace: %v mounts service account tokens by default", [wl.kind, wl.metadata.name, wl.metadata.namespace]), + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [wl] + }, + } +} + + +get_beginning_of_path(workload) = start_of_path { + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[workload.kind] + start_of_path := ["spec", "template", "spec"] +} + +get_beginning_of_path(workload) = start_of_path { + workload.kind == "Pod" + start_of_path := ["spec"] +} + +get_beginning_of_path(workload) = start_of_path { + workload.kind == "CronJob" + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] +} \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/raw.rego b/rules/workload-with-administrative-roles/raw.rego new file mode 100644 index 000000000..a760b1cd6 --- /dev/null +++ b/rules/workload-with-administrative-roles/raw.rego @@ -0,0 +1,129 @@ +package armo_builtins + +import future.keywords.in + +deny[msga] { + wl := input[_] + start_of_path := get_start_of_path(wl) + wl_spec := object.get(wl, start_of_path, []) + + # get service account wl is using + sa := input[_] + sa.kind == "ServiceAccount" + is_same_sa(wl_spec, sa.metadata, wl.metadata) + + # check service account token is mounted + is_sa_auto_mounted(wl_spec, sa) + + # check if sa has administrative roles + role := input[_] + role.kind in ["Role", "ClusterRole"] + is_administrative_role(role) + + rolebinding := input[_] + rolebinding.kind in ["RoleBinding", "ClusterRoleBinding"] + rolebinding.roleRef.name == role.metadata.name + rolebinding.subjects[j].kind == "ServiceAccount" + rolebinding.subjects[j].name == sa.metadata.name + rolebinding.subjects[j].namespace == sa.metadata.namespace + + reviewPath := "roleRef" + deletePath := sprintf("subjects[%d]", [j]) + + msga := { + "alertMessage": sprintf("%v: %v in the following namespace: %v has administrative roles", [wl.kind, wl.metadata.name, wl.metadata.namespace]), + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [wl] + }, + "relatedObjects": [{ + "object": sa, + }, + { + "object": rolebinding, + "reviewPaths": [reviewPath], + "deletePaths": [deletePath], + }, + { + "object": role, + },] + } +} + + +get_start_of_path(workload) = start_of_path { + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[workload.kind] + start_of_path := ["spec", "template", "spec"] +} + +get_start_of_path(workload) = start_of_path { + workload.kind == "Pod" + start_of_path := ["spec"] +} + +get_start_of_path(workload) = start_of_path { + workload.kind == "CronJob" + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] +} + + +is_sa_auto_mounted(wl_spec, sa) { + # automountServiceAccountToken not in pod spec + not wl_spec.automountServiceAccountToken == false + not wl_spec.automountServiceAccountToken == true + + not sa.automountServiceAccountToken == false +} + +is_sa_auto_mounted(wl_spec, sa) { + # automountServiceAccountToken set to true in pod spec + wl_spec.automountServiceAccountToken == true +} + + +is_same_sa(wl_spec, sa_metadata, wl_metadata) { + wl_spec.serviceAccountName == sa_metadata.name + is_same_namespace(sa_metadata , wl_metadata) +} + +is_same_sa(wl_spec, sa_metadata, wl_metadata) { + not wl_spec.serviceAccountName + sa_metadata.name == "default" + is_same_namespace(sa_metadata , wl_metadata) +} + +# is_same_namespace supports cases where ns is not configured in the metadata +# for yaml scans +is_same_namespace(metadata1, metadata2) { + metadata1.namespace == metadata2.namespace +} + +is_same_namespace(metadata1, metadata2) { + not metadata1.namespace + not metadata2.namespace +} + +is_same_namespace(metadata1, metadata2) { + not metadata2.namespace + metadata1.namespace == "default" +} + +is_same_namespace(metadata1, metadata2) { + not metadata1.namespace + metadata2.namespace == "default" +} + + +is_administrative_role(role){ + administrative_resources := ["*"] + administrative_verbs := ["*"] + administrative_api_groups := ["", "*"] + + administrative_rule := [rule | rule = role.rules[i] ; + rule.resources[a] in administrative_resources ; + rule.verbs[b] in administrative_verbs ; + rule.apiGroups[c] in administrative_api_groups] + count(administrative_rule) > 0 +} diff --git a/rules/workload-with-administrative-roles/rule.metadata.json b/rules/workload-with-administrative-roles/rule.metadata.json new file mode 100644 index 000000000..60fa9baf0 --- /dev/null +++ b/rules/workload-with-administrative-roles/rule.metadata.json @@ -0,0 +1,63 @@ +{ + "name": "workload-with-administrative-roles", + "attributes": {}, + "ruleLanguage": "Rego", + "match": [ + { + "apiGroups": [ + "" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Pod", + "ServiceAccount" + ] + }, + { + "apiGroups": [ + "apps" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "Deployment", + "ReplicaSet", + "DaemonSet", + "StatefulSet" + ] + }, + { + "apiGroups": [ + "batch" + ], + "apiVersions": [ + "*" + ], + "resources": [ + "Job", + "CronJob" + ] + }, + { + "apiGroups": [ + "rbac.authorization.k8s.io" + ], + "apiVersions": [ + "v1" + ], + "resources": [ + "RoleBinding", + "ClusterRoleBinding", + "Role", + "ClusterRole" + ] + } + ], + "ruleDependencies": [], + "description": "", + "remediation": "", + "ruleQuery": "armo_builtins" +} \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/expected.json b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/expected.json new file mode 100644 index 000000000..2145eb79b --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/expected.json @@ -0,0 +1,110 @@ +[ + { + "alertMessage": "Pod: test-pd in the following namespace: default has administrative roles", + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null, + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pd" + } + } + ] + }, + "relatedObjects": [ + { + "object": { + "apiVersion": "v1", + "automountServiceAccountToken": true, + "kind": "ServiceAccount", + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRoleBinding", + "metadata": { + "name": "read-secrets-global" + }, + "roleRef": { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "name": "test" + }, + "subjects": [ + { + "apiGroup": "rbac.authorization.k8s.io", + "kind": "Group", + "name": "manager" + }, + { + "kind": "ServiceAccount", + "name": "default", + "namespace": "default" + } + ] + }, + "failedPaths": null, + "reviewPaths": [ + "roleRef" + ], + "deletePaths": [ + "subjects[1]" + ], + "fixPaths": null + }, + { + "object": { + "apiVersion": "rbac.authorization.k8s.io/v1", + "kind": "ClusterRole", + "metadata": { + "name": "test" + }, + "rules": [ + { + "apiGroups": [ + "" + ], + "resources": [ + "pods", + "*" + ], + "verbs": [ + "create", + "*" + ] + } + ] + }, + "failedPaths": null, + "reviewPaths": null, + "deletePaths": null, + "fixPaths": null + } + ] + } +] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrole.yaml b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrole.yaml new file mode 100644 index 000000000..630c8f34f --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: [""] + resources: ["pods", "*"] + verbs: ["create", "*"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml new file mode 100644 index 000000000..ba2b69958 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +- kind: ServiceAccount + name: default + namespace: default +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/file.yaml b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/sa.json b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/fail-wl-creates-pod/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml new file mode 100644 index 000000000..54ca1a619 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrole.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: ["*"] + resources: ["secrets"] + verbs: ["*"] +- apiGroups: [""] + resources: ["*"] + verbs: ["get"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml new file mode 100644 index 000000000..e61c4d450 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: ServiceAccount + name: default + namespace: default +- kind: Group + name: dev + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/file.yaml b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/sa.json b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-limited-permissions/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml new file mode 100644 index 000000000..6ede27070 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: ["*"] + resources: ["*", "secrets", "users"] + verbs: ["get", "*"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml new file mode 100644 index 000000000..e1426bc28 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: read-secrets-global +subjects: +- kind: Group + name: manager + apiGroup: rbac.authorization.k8s.io +- kind: Group + name: dev + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/file.yaml b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/sa.json b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-not-mount-sa-token/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +} diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/expected.json @@ -0,0 +1 @@ +[] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/cluterrole.yaml b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/cluterrole.yaml new file mode 100644 index 000000000..fd8e287be --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/cluterrole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["*"] \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/file.yaml b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/file.yaml new file mode 100644 index 000000000..495720efa --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/file.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-pd + namespace: default +spec: + automountServiceAccountToken: true + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/rolebinding.yaml b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/rolebinding.yaml new file mode 100644 index 000000000..4448be426 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pod + namespace: kube-system +subjects: +- kind: User + name: jane + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: test + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/sa.json b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/sa.json new file mode 100644 index 000000000..ab36c3bb1 --- /dev/null +++ b/rules/workload-with-administrative-roles/test/pass-wl-rolebinding/input/sa.json @@ -0,0 +1,17 @@ +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "automountServiceAccountToken": true, + "metadata": { + "creationTimestamp": "2022-02-07T11:21:55Z", + "name": "default", + "namespace": "default", + "resourceVersion": "410", + "uid": "5195ed3a-fa3c-46ce-8c66-32d1a83ea41f" + }, + "secrets": [ + { + "name": "default-token-sn9f8" + } + ] +}