diff --git a/rbac-best-practices/restrict-binding-privileged-role b/rbac-best-practices/restrict-binding-privileged-role new file mode 100644 index 00000000..45068a94 --- /dev/null +++ b/rbac-best-practices/restrict-binding-privileged-role @@ -0,0 +1,55 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-binding-privileged-role + annotations: + policies.kyverno.io/title: Restrict Binding to a Privileged Role + policies.kyverno.io/category: Security, EKS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ClusterRole, Role, RBAC + kyverno.io/kyverno-version: 1.7.0 + policies.kyverno.io/minversion: 1.6.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + Binding to Wildcards ('*') in resourcesName when allowing creation of clusterole should not be allowed. +spec: + validationFailureAction: audit + rules: + - name: restrict-binding-privileged-role + match: + any: + - resources: + kinds: + - Role + - ClusterRole + preconditions: + all: + - key: "{{ request.object.rules[].apiGroups[] }}" + operator: AnyIn + value: rbac.authorization.k8s.io + - key: "{{ request.object.rules[].resources[] }}" + operator: AnyIn + value: + - clusterrolebindings + - rolebindings + - key: "{{ request.object.rules[].verbs[] }}" + operator: AnyIn + value: create + validate: + deny: + conditions: + all: + - key: "{{ request.object.rules[].apiGroups[] }}" + operator: AnyIn + value: rbac.authorization.k8s.io + - key: "{{ request.object.rules[].resources[] }}" + operator: AnyIn + value: + - clusterroles + - roles + - key: "{{ request.object.rules[].verbs[] }}" + operator: AnyIn + value: bind + - key: "{{ contains(request.object.rules[].resourceNames[], '*') }}" + operator: Equals + value: true