cloud-platform icon indicating copy to clipboard operation
cloud-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Improve Conftest checks for ClusterRole/ClusterRoleBinding

Open sj-williams opened this issue 9 months ago • 0 comments

Background

We currently have a conftest policy that detects user PRs that attempt to configure RBAC for binding to cluster-admin ClusterRole

https://github.com/ministryofjustice/cloud-platform-environments/blob/main/policy/rolebinding.rego

We should enhance this policy to ensure user PRs cannot bind to any other ClusterRoles with elevated permissions (or even create ClusterRole / ClusterRoleBinding objects outside of the default admin we set for all namespace rbac)

Proposed user journey

Approach

Which part of the user docs does this impact

Communicate changes

  • [ ] post for #cloud-platform-update
  • [ ] Weeknotes item
  • [ ] Show the Thing/P&A All Hands/User CoP
  • [ ] Announcements channel

Questions / Assumptions

Definition of done

  • [ ] readme has been updated
  • [ ] user docs have been updated
  • [ ] another team member has reviewed
  • [ ] smoke tests are green
  • [ ] prepare demo for the team

Reference

How to write good user stories

sj-williams avatar May 02 '24 10:05 sj-williams