From 8999a6b21e249ea8c4c125bfe8d24421f5a69eb0 Mon Sep 17 00:00:00 2001 From: dheerajkadri Date: Tue, 21 Mar 2023 10:41:08 +0530 Subject: [PATCH] Added cluster role permissions needed for OCP Kube-bench scans --- .../001_kube_enforcer_config.yaml | 25 +++++++++++++++---- .../001_kube_enforcer_config.yaml | 25 +++++++++++++++---- .../001_kube_enforcer_config.yaml | 25 +++++++++++++++---- 3 files changed, 60 insertions(+), 15 deletions(-) diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml index eb5336299..def47b592 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer/001_kube_enforcer_config.yaml @@ -113,11 +113,6 @@ rules: - apiGroups: ["aquasecurity.github.io"] resources: ["configauditreports", "clusterconfigauditreports"] verbs: ["get", "list", "watch"] - #### Can be removed if your platform isn't Openshift - - apiGroups: [ "operator.openshift.io" ] - resources: [ "imagecontentsourcepolicies" ] - verbs: [ "get", "list", "watch" ] - #### - apiGroups: ["*"] resources: ["configmaps"] verbs: ["get", "list", "watch"] @@ -152,6 +147,26 @@ rules: - create - update - delete + #### Can be removed if your platform isn't Openshift + - apiGroups: [ "operator.openshift.io" ] + resources: [ "imagecontentsourcepolicies","openshiftapiservers","kubeapiservers" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "security.openshift.io" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "get", "list" ] + - apiGroups: [ "config.openshift.io" ] + resources: [ "clusteroperators" ] + verbs: [ "get", "list" ] + - apiGroups: [ "machineconfiguration.openshift.io" ] + resources: [ "machineconfigs","machineconfigpools" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "pods/exec" ] + verbs: [ "create" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts","endpoints" ] + verbs: [ "list" ] + #### --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml index 33adb0a27..8b9cd0e34 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_advanced/001_kube_enforcer_config.yaml @@ -256,11 +256,6 @@ rules: - apiGroups: ["aquasecurity.github.io"] resources: ["configauditreports", "clusterconfigauditreports"] verbs: ["get", "list", "watch"] - #### Can be removed if your platform isn't Openshift - - apiGroups: [ "operator.openshift.io" ] - resources: [ "imagecontentsourcepolicies" ] - verbs: [ "get", "list", "watch" ] - #### - apiGroups: ["*"] resources: ["configmaps"] verbs: ["get", "list", "watch"] @@ -295,6 +290,26 @@ rules: - create - update - delete + #### Can be removed if your platform isn't Openshift + - apiGroups: [ "operator.openshift.io" ] + resources: [ "imagecontentsourcepolicies","openshiftapiservers","kubeapiservers" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "security.openshift.io" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "get", "list" ] + - apiGroups: [ "config.openshift.io" ] + resources: [ "clusteroperators" ] + verbs: [ "get", "list" ] + - apiGroups: [ "machineconfiguration.openshift.io" ] + resources: [ "machineconfigs","machineconfigpools" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "pods/exec" ] + verbs: [ "create" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts","endpoints" ] + verbs: [ "list" ] + #### --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml index aed0edd72..e044c4470 100644 --- a/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml +++ b/enforcers/kube_enforcer/kubernetes_and_openshift/manifests/kube_enforcer_ocp3x/001_kube_enforcer_config.yaml @@ -106,11 +106,6 @@ rules: - apiGroups: ["aquasecurity.github.io"] resources: ["configauditreports", "clusterconfigauditreports"] verbs: ["get", "list", "watch"] - #### Can be removed if your platform isn't Openshift - - apiGroups: [ "operator.openshift.io" ] - resources: [ "imagecontentsourcepolicies" ] - verbs: [ "get", "list", "watch" ] - #### - apiGroups: ["*"] resources: ["configmaps"] verbs: ["get", "list", "watch"] @@ -145,6 +140,26 @@ rules: - create - update - delete + #### Can be removed if your platform isn't Openshift + - apiGroups: [ "operator.openshift.io" ] + resources: [ "imagecontentsourcepolicies","openshiftapiservers","kubeapiservers" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "security.openshift.io" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "get", "list" ] + - apiGroups: [ "config.openshift.io" ] + resources: [ "clusteroperators" ] + verbs: [ "get", "list" ] + - apiGroups: [ "machineconfiguration.openshift.io" ] + resources: [ "machineconfigs","machineconfigpools" ] + verbs: [ "get", "list" ] + - apiGroups: [ "" ] + resources: [ "pods/exec" ] + verbs: [ "create" ] + - apiGroups: [ "" ] + resources: [ "serviceaccounts","endpoints" ] + verbs: [ "list" ] + #### --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding