Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UD-1664: Add check for unauthenticated or anonymous subjects within r… #65

Merged
merged 1 commit into from
Aug 8, 2024
Merged

UD-1664: Add check for unauthenticated or anonymous subjects within r… #65

merged 1 commit into from
Aug 8, 2024

Conversation

knrc
Copy link
Contributor

@knrc knrc commented Aug 7, 2024

…ole bindings

Description

This PR adds a new builtin check. It identifies cluster role bindings and role bindings which reference the unauthenticated group or anonymous user.

Linked Issues

How has this been tested?

  • Updated builtin tests
  • Built new marvin, deployed to cluster and checked reports on saas

Checklist

  • I have labeled this PR with the relevant Type labels
  • I have documented my code (if applicable)
  • My changes are covered by tests

@knrc knrc added the enhancement New feature or request label Aug 7, 2024
@knrc knrc requested a review from matheusfm August 7, 2024 18:23
@knrc
Copy link
Contributor Author

knrc commented Aug 7, 2024

Note: This check is currently a Medium severity, however it may be better to specify it as a High severity given the potential for abuse

@matheusfm
Copy link
Contributor

It seems like every cluster has a default ClusterRoleBinding called system:public-info-viewer which would be reported as a misconfiguration. CEL Playground experiment.

Do you think having an exception for this cases makes sense?

The kubernetes.io/bootstrapping: rbac-defaults label may help with an exception rule.

@knrc
Copy link
Contributor Author

knrc commented Aug 7, 2024

It seems like every cluster has a default ClusterRoleBinding called system:public-info-viewer which would be reported as a misconfiguration. CEL Playground experiment.

Do you think having an exception for this cases makes sense?

The kubernetes.io/bootstrapping: rbac-defaults label may help with an exception rule.

While the role is provided by default it doesn't need to exist, and probably shouldn't if the cluster is being hardened. Given this, I think it is better to report the existence and let the users decide whether they want to deal with it (i.e. remove the binding) or ignore it.

@knrc knrc requested a review from matheusfm August 7, 2024 19:50
@knrc knrc merged commit 70da7ad into main Aug 8, 2024
4 checks passed
@knrc knrc deleted the UD-1664 branch August 8, 2024 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matheusfm matheusfm matheusfm approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@knrc @matheusfm