Change roleRef pattern to subjects (#778)

* chore: add script to update artifacthub digest (#769) * chore: add script to update artifacthub digest Signed-off-by: Charles-Edouard Brétéché <[email protected]> * fix Signed-off-by: Charles-Edouard Brétéché <[email protected]> * script Signed-off-by: Charles-Edouard Brétéché <[email protected]> * install Signed-off-by: Charles-Edouard Brétéché <[email protected]> * install Signed-off-by: Charles-Edouard Brétéché <[email protected]> * fix digest Signed-off-by: Charles-Edouard Brétéché <[email protected]> --------- Signed-off-by: Charles-Edouard Brétéché <[email protected]> Signed-off-by: Rangan Mahesh <[email protected]> * Change roleRef pattern to subjects Changed the roleRef in patterns to subjects as the system groups are defined under subjects and not roleRef Signed-off-by: RanganMahesh <[email protected]> Signed-off-by: Rangan Mahesh <[email protected]> * Update artifacthub-pkg.yml Recalculated SHA256 and updated Signed-off-by: RanganMahesh <[email protected]> Signed-off-by: Rangan Mahesh <[email protected]> * Updated files to match new pattern Signed-off-by: Rangan Mahesh <[email protected]> * Sign-off commit Signed-off-by: RanganMahesh <[email protected]> Signed-off-by: Rangan Mahesh <[email protected]> * Fix syntax issue and resolve test casses Signed-off-by: Rangan Mahesh <[email protected]> * Update SHA256 digest Signed-off-by: Rangan Mahesh <[email protected]> --------- Signed-off-by: Charles-Edouard Brétéché <[email protected]> Signed-off-by: Rangan Mahesh <[email protected]> Signed-off-by: RanganMahesh <[email protected]> Co-authored-by: Charles-Edouard Brétéché <[email protected]>
kyverno · Oct 12, 2023 · 3a9624e · 3a9624e
1 parent 3b7d0a3
commit 3a9624e
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 31 deletions.
diff --git a/other/res/restrict-binding-system-groups/artifacthub-pkg.yml b/other/res/restrict-binding-system-groups/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
   kyverno/category: "Security, EKS Best Practices"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC"
-digest: 8de0c1d6797c8925007a6e12a2911edec500ccf987880a581ddb1906e8bf9b87
+digest: d0336a6276727ee78903d87ca14097913d5983b35566d3f47efbf72aa59f2f4d
diff --git a/other/res/restrict-binding-system-groups/crb-bad.yaml b/other/res/restrict-binding-system-groups/crb-bad.yaml
@@ -4,11 +4,11 @@ metadata:
   name: badcrb01
 subjects:
 - kind: Group
-  name: manager
+  name: "system:anonymous"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:anonymous"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,21 +18,23 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: "system:unauthenticated"
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:unauthenticated"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: badcrb03
 subjects:
-- kind: ServiceAccount
+- kind: Group
   namespace: foo
-  name: manager
+  name: "system:masters"
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: "system:masters"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
diff --git a/other/res/restrict-binding-system-groups/crb-good.yaml b/other/res/restrict-binding-system-groups/crb-good.yaml
@@ -4,11 +4,11 @@ metadata:
   name: goodcrb01
 subjects:
 - kind: Group
-  name: manager
+  name: secret-reader
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
-  name: secret-reader
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -18,10 +18,10 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: foo-reader
 roleRef:
   kind: ClusterRole
-  name: foo-reader
+  name: manager
   apiGroup: rbac.authorization.k8s.io
 
 ---
@@ -32,8 +32,8 @@ metadata:
 subjects:
 - kind: ServiceAccount
   namespace: foo
-  name: manager
+  name: "system.foo"
 roleRef:
   kind: ClusterRole
-  name: "system:foo"
+  name: manager
   apiGroup: rbac.authorization.k8s.io
diff --git a/other/res/restrict-binding-system-groups/rb-bad.yaml b/other/res/restrict-binding-system-groups/rb-bad.yaml
@@ -3,36 +3,38 @@ kind: RoleBinding
 metadata:
   name: badrb01
 subjects:
-- kind: User
-  name: foo
+- kind: Group
+  name: "system:anonymous"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:anonymous"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: badrb02
 subjects:
-- kind: ServiceAccount
-  name: foo
+- kind: Group
+  name: "system:unauthenticated"
   namespace: foo
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:unauthenticated"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: badrb03
 subjects:
-- kind: ServiceAccount
-  name: foo
+- kind: Group
+  name: "system:masters"
   namespace: foo
+  apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:masters"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
diff --git a/other/res/restrict-binding-system-groups/rb-good.yaml b/other/res/restrict-binding-system-groups/rb-good.yaml
@@ -30,9 +30,9 @@ metadata:
   name: goodrb03
 subjects:
 - kind: Group
-  name: foo
+  name: "system:foo"
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: Role
-  name: "system:foo"
+  name: foo
   apiGroup: rbac.authorization.k8s.io
diff --git a/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other/res/restrict-binding-system-groups/restrict-binding-system-groups.yaml
@@ -29,8 +29,8 @@ spec:
       validate:
         message: "Binding to system:anonymous is not allowed."
         pattern:
-          roleRef:
-            name: "!system:anonymous"
+          subjects:
+            - name: "!system:anonymous"
     - name: restrict-unauthenticated
       match:
         any:
@@ -41,8 +41,8 @@ spec:
       validate:
         message: "Binding to system:unauthenticated is not allowed."
         pattern:
-          roleRef:
-            name: "!system:unauthenticated"
+          subjects:
+            - name: "!system:unauthenticated"
     - name: restrict-masters
       match:
         any:
@@ -53,5 +53,6 @@ spec:
       validate:
         message: "Binding to system:masters is not allowed."
         pattern:
-          roleRef:
-            name: "!system:masters"
+          subjects:
+            - name: "!system:masters"
+