NodeRestriction prevents nodes from abusing certain powerful permissions even if they're granted to them via RBAC. rbac-police should take that into account, possible implementation:
Add --node-restriction flag to eval to indicate the cluster uses NodeRestriction, and expose its value to Rego policies. Default value should probably befalse for now.
Add preventedByNodeRestriction variable to policies if NodeRestriction stops the attack they detect.
Modify the Rego wrapper to drop node violation when the policy has preventedByNodeRestriction and given --node-restriction is enabled.
Combined violations in steal_pods.rego would need to be refactored (and would probably be a bit ugly)
NodeRestriction prevents nodes from abusing certain powerful permissions even if they're granted to them via RBAC. rbac-police should take that into account, possible implementation:
--node-restriction
flag toeval
to indicate the cluster uses NodeRestriction, and expose its value to Rego policies. Default value should probably befalse
for now.preventedByNodeRestriction
variable to policies if NodeRestriction stops the attack they detect.steal_pods.rego
would need to be refactored (and would probably be a bit ugly)