This PR adds remediation policies for the following RBAC best practices policies:
restrict-automount-sa-token
restrict-clusterrole-nodesproxy
restrict-wildcard-resources
In remediate-restrict-clusterrole-nodesproxy policy, we are replacing nodes/proxy with "" instead of removing it.
Consider we have a ClusterRole like this where the resources array contains a single element nodes/proxy
If we had performed a remove operation on nodes/proxy, then creation of the ClusterRole would have been blocked by Kubernetes with the following error:
The ClusterRole "badcr03" is invalid: rules[0].resources: Required value: resource rules must supply at least one resource
An empty string "" does not match any resources and can be considered a dummy value.
The above approach of replacing instead of removing has been followed in remediate-restrict-wildcard-resources policy too
Related Issues:
Checklist:
[ ] This PR requires a bump in kyverno-policies chart version .
[ ] I have created a PR to bump the enterprise-kyverno-operator chart version.
Description:
This PR adds remediation policies for the following RBAC best practices policies:
In
remediate-restrict-clusterrole-nodesproxypolicy, we are replacingnodes/proxywith""instead of removing it. Consider we have aClusterRolelike this where theresourcesarray contains a single elementnodes/proxyWhen we apply the remediate policy on this, it gets mutated to:
If we had performed a
removeoperation onnodes/proxy, then creation of theClusterRolewould have been blocked by Kubernetes with the following error:An empty string
""does not match any resources and can be considered a dummy value.The above approach of replacing instead of removing has been followed in
remediate-restrict-wildcard-resourcespolicy tooRelated Issues:
Checklist: