This PR adds remediation policies for the following RBAC best practices policies:
restrict-automount-sa-token
restrict-clusterrole-nodesproxy
restrict-wildcard-resources
In remediate-restrict-clusterrole-nodesproxy policy, we are replacing nodes/proxy with "" instead of removing it.
Consider we have a ClusterRole like this where the resources array contains a single element nodes/proxy
If we had performed a remove operation on nodes/proxy, then creation of the ClusterRole would have been blocked by Kubernetes with the following error:
The ClusterRole "badcr03" is invalid: rules[0].resources: Required value: resource rules must supply at least one resource
An empty string "" does not match any resources and can be considered a dummy value.
The above approach of replacing instead of removing has been followed in remediate-restrict-wildcard-resources policy too
Related Issues:
Checklist:
[ ] This PR requires a bump in kyverno-policies chart version .
[ ] I have created a PR to bump the enterprise-kyverno-operator chart version.
Description:
This PR adds remediation policies for the following RBAC best practices policies:
In
remediate-restrict-clusterrole-nodesproxy
policy, we are replacingnodes/proxy
with""
instead of removing it. Consider we have aClusterRole
like this where theresources
array contains a single elementnodes/proxy
When we apply the remediate policy on this, it gets mutated to:
If we had performed a
remove
operation onnodes/proxy
, then creation of theClusterRole
would have been blocked by Kubernetes with the following error:An empty string
""
does not match any resources and can be considered a dummy value.The above approach of replacing instead of removing has been followed in
remediate-restrict-wildcard-resources
policy tooRelated Issues:
Checklist: