User permissions aren't evaluated if group violations are disabled

PaloAltoNetworks / rbac-police

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego

https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms

MIT License

331 stars 35 forks source link

User permissions aren't evaluated if group violations are disabled #20

Open yuvalavra opened 10 months ago

yuvalavra commented 10 months ago

Because of a bug here - https://github.com/PaloAltoNetworks/rbac-police/blob/1ec5d029f008e29869572157c9645ce6c21399c8/pkg/eval/eval.go#L302-L306 , disabling group violations would inadvertently cause user violations to be skipped as well.

So while ./rbac-police eval lib --violations users,groups and ./rbac-police eval lib --violations all worked as expected, ./rbac-police** eval lib --violations users wouldn't evaluate users.