Issues with rolebindingClusterAdminClusterRole and rolebindingClusterRolePodExecAttach

JoseAlvarezSonos commented 11 months ago

What happened?

I'm seeing some issues with the rolebindingClusterAdminClusterRole and rolebindingClusterRolePodExecAttach checks. I have IMO a simple ServiceAccount with a simple Role and RoleBinding, but Polaris throws an error with the aforementioned checks and I don't fully understand how to fix them nor if they are an issue. It seems more like an bug of Polaris.

Trying to check deeper I found this link https://polaris.docs.fairwinds.com/checks/security/, where it states:

rolebindingRolePodExecAttach - Fails when the RoleBinding references a ClusterRole that allows Pods/exec, allows pods/attach, or that does not exist.
rolebindingClusterAdminClusterRole - Fails when the RoleBinding references the default cluster-admin ClusterRole or one with wildcard permissions.

And to my eyes, none of them apply to my conf, this is a simplified version but it triggers the issue:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: some-api
  namespace: dev
  labels:
    role: service
    tier: backend
imagePullSecrets:
  - name: regcred
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: some-api
  namespace: some-ns
rules:
  - apiGroups: [""]
    resources: [services]
    verbs: [get, list]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: some-api
  namespace: some-ns
roleRef:
  kind: Role
  name: some-api
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: some-api
    namespace: dev

What did you expect to happen?

To show success for my configuration.

How can we reproduce this?

Put the configuration I shared in a test.yaml file and run: polaris audit --audit-path test.yaml --format=pretty

Version

8.5.1

Search

[X] I did search for other open and closed issues before opening this.

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Additional context

No response

sudermanjr commented 11 months ago

Interestingly, this is not reproducible in-cluster, but I can reproduce it for YAML checks.

in-cluster test

kind create cluster
kubectl create ns some-ns
kubectl create ns dev
kubectl apply -f /tmp/test.yaml # copied yaml from issue
polaris audit --checks rolebindingRolePodExecAttach --format pretty             
# Output has zero failed checks

sudermanjr commented 11 months ago

We've created an internal dev issue to track this. Thanks!

JoseAlvarezSonos commented 11 months ago

Hello, any news on this issue by any chance? 🙏

jslivka commented 9 months ago

We're reviewing a proposed PR fix for this, should cover your example:

go run main.go audit --audit-path test-iac.yaml --format=pretty

Polaris audited Path test-iac.yaml at 2024-01-03T13:04:44-06:00
    Nodes: 0 | Namespaces: 0 | Controllers: 0
    Final score: 100

RoleBinding some-api in namespace some-ns
    rolebindingClusterRolePodExecAttach  🎉 Success
        Security - The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
    rolebindingRolePodExecAttach         🎉 Success
        Security - The RoleBinding does not reference a Role allowing Pod exec or attach
    rolebindingClusterAdminClusterRole   🎉 Success
        Security - The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
    rolebindingClusterAdminRole          🎉 Success
        Security - The RoleBinding does not reference a Role with wildcard permissions

ServiceAccount some-api in namespace dev

Role some-api in namespace some-ns
    rolePodExecAttach                    🎉 Success
        Security - The Role does not allow pods/exec or pods/attach

FairwindsOps / polaris