Closed snorwin closed 2 years ago
Great, thank you! We will have a look at that.
We don't have OpenShift, so we are trying to reproduce it without OpenShift.
In your case you had risky_rolebinding.subjects=None
? Because I thought that the for
loop won't access the loop if they are None
.
Example of a ClusterRoleBinding
in OCP4 causing the issue:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: 'system:node'
labels:
kubernetes.io/bootstrapping: rbac-defaults
annotations:
rbac.authorization.kubernetes.io/autoupdate: 'true'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: 'system:node'
Thanks, we merged. We will change the or []
to is not None
before the loop so it will be readable
Desired Outcome
In OpenShift, there are RoleBindings without subjects, which leads to problems:
Implemented Changes
Add checks for subjects in RoleBindings not equals
None
in order to prevetTypeError: 'NoneType' object is not iterable
. I saw that you added the "ApiClientTemp" for the rules in Roles, but I don't think it's worth cop/pasting more external code, so I decided to just add checks.Connected Issue/Story
Similar to https://github.com/cyberark/KubiScan/issues/1 Related to https://github.com/kubernetes-client/python/issues/577, https://github.com/kubernetes-client/gen/issues/52
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be merged.
Changelog
Test coverage
Documentation
README
s) were updated in this PRBehavior
Security