Closed JoseAlvarezSonos closed 9 months ago
Interestingly, this is not reproducible in-cluster, but I can reproduce it for YAML checks.
in-cluster test
kind create cluster
kubectl create ns some-ns
kubectl create ns dev
kubectl apply -f /tmp/test.yaml # copied yaml from issue
polaris audit --checks rolebindingRolePodExecAttach --format pretty
# Output has zero failed checks
We've created an internal dev issue to track this. Thanks!
Hello, any news on this issue by any chance? π
We're reviewing a proposed PR fix for this, should cover your example:
go run main.go audit --audit-path test-iac.yaml --format=pretty
Polaris audited Path test-iac.yaml at 2024-01-03T13:04:44-06:00
Nodes: 0 | Namespaces: 0 | Controllers: 0
Final score: 100
RoleBinding some-api in namespace some-ns
rolebindingClusterRolePodExecAttach π Success
Security - The RoleBinding does not reference a ClusterRole allowing pods/exec or pods/attach
rolebindingRolePodExecAttach π Success
Security - The RoleBinding does not reference a Role allowing Pod exec or attach
rolebindingClusterAdminClusterRole π Success
Security - The RoleBinding does not reference the default cluster-admin ClusterRole or one with wildcard permissions
rolebindingClusterAdminRole π Success
Security - The RoleBinding does not reference a Role with wildcard permissions
ServiceAccount some-api in namespace dev
Role some-api in namespace some-ns
rolePodExecAttach π Success
Security - The Role does not allow pods/exec or pods/attach
What happened?
I'm seeing some issues with the rolebindingClusterAdminClusterRole and rolebindingClusterRolePodExecAttach checks. I have IMO a simple ServiceAccount with a simple Role and RoleBinding, but Polaris throws an error with the aforementioned checks and I don't fully understand how to fix them nor if they are an issue. It seems more like an bug of Polaris.
Trying to check deeper I found this link https://polaris.docs.fairwinds.com/checks/security/, where it states:
And to my eyes, none of them apply to my conf, this is a simplified version but it triggers the issue:
What did you expect to happen?
To show success for my configuration.
How can we reproduce this?
Put the configuration I shared in a test.yaml file and run:
polaris audit --audit-path test.yaml --format=pretty
Version
8.5.1
Search
Code of Conduct
Additional context
No response