Closed borkodjurkovic-ssc closed 6 months ago
Hi @borkodjurkovic-ssc - Thanks for reaching out! I will recommend our team add configsync.gke.io:root-reconciler
in a future release.
Hi @borkodjurkovic-ssc! - This has been updated: https://github.com/GoogleCloudPlatform/gke-policy-library/blob/main/anthos-bundles/nist-sp-800-53-r5/restrict-role-wildcards.yaml#L49
We've been implementing the NIST SP 800-53 K8sProhibitRoleWildcardAccess constraint in our Anthos Autopilot cluster. We found that the policy did not include the
configsync.gke.io:root-reconciler
in theexemptions.clusterRoles
list. This causes the policy to mark the cluster as being not compliant. Below you can see that the cluster role definition uses wildcards for permissions. Should this cluster role be added by default to the exemption list (similar howconfigsync.gke.io:ns-reconciler
is already included in the exemption list)?