fix: correct the detection logic for bind_roles - Githubissues

PaloAltoNetworks / rbac-police

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego

https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms

MIT License

339 stars 35 forks source link

fix: correct the detection logic for bind_roles #22

Closed Danny-Wei closed 6 months ago

Danny-Wei commented 11 months ago

Description

Only by granting accounts the bind permission of roles or clusterroles, they potentially elevate their privileges. Refer to Restrictions on role binding creation or update

Therefore, it is necessary to check whether the rules in the role include the bind verb for clusterroles or roles resources.

Motivation and Context

Correct the detection logic for bind_roles.

Types of changes

Bug fix (non-breaking change which fixes an issue)

Checklist

[x] I have updated the documentation accordingly.
[x] I have read the CONTRIBUTING document.
[x] I have added tests to cover my changes if appropriate.
[x] All new and existing tests passed.