polaris
polaris copied to clipboard
FairwindsOps
FWI-2547: Add `rolePodExecAttach` and `clusterrolePodExecAttach` checks
Checklist
- [x] I have signed the CLA
- [x] I have updated/added any relevant documentation
Description
What's the goal of this PR?
Alert on user-defined Roles and ClusterRoles that allow execing or attaching to pods.
What alternative solution should we consider, if any?
The ClusterRole check factors out static names of built-in ClusterRoles that allow exec or attach. I chose not to match partial ClusterRole names like system:* or standard labels, because it is possible for user-defined ClusterRoles to be created with these same criteria. If future versions of Kubernetes add ClusterRoles with these permissions, those new ClusterRoles will need to be added to this check.
Fairwinds Insights CI Report
:white_check_mark: No new Action Items detected!
![fairwinds-insights[bot] avatar](https://avatars.githubusercontent.com/in/70259?v=4 "Published by a pub.dev verified publisher"){kind=small}
I've added a new schema test which will fail until Polaris PR 822 is merged - fixing an issue with namespace filtering Kube resources for additional schema validation.
@makoscafee Thank you for the review. Let me know whether you have additional things you think I should address, or whether this is good to merge.
LGTM just wanted to ask if the test for ClusterRole/ClusterRoleBinding/Role/RoleBinding which has these constants in their names was not included on purpose -"cluster-admin"
- "system:controller:generic-garbage-collector"
- "system:controller:namespace-controller" etc.
I did add a couple more tests for those, thanks for that suggestion.
I also removed code that checks for default bindings to ClusterRoles and Roles, because there actually are not any default bindings in Kube - that code being in those 2 checks was an artifact of copy/pasting from the ClusterRoleBinding check.