-
Notifications
You must be signed in to change notification settings - Fork 52
/
restrict-bind-escalate-impersonate.yaml
59 lines (59 loc) · 2.69 KB
/
restrict-bind-escalate-impersonate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Copyright 2024 Google LLC
#
# This is “Software” that is licensed under the “General Software” section of
# the Service Specific Terms (https://cloud.google.com/terms/service-terms) for
# usage in accordance with the following “Scope of Use”: This file may only be
# used on an Anthos cluster, including any associated ci/cd use. “Anthos
# cluster” is defined as “A Cluster (of any kind) registered to a fleet project
# where the Anthos API is enabled”.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRestrictRoleRules
metadata:
name: cis-k8s-v1.7.1-restrict-bind-escalate-impersonate
labels:
policycontroller.gke.io/bundleName: cis-k8s-v1.7.1
annotations:
policycontroller.gke.io/bundleVersion: 202403.0-preview
policycontroller.gke.io/constraintData: |-
"{
bundleName: 'cis-k8s-v1.7.1',
bundleDisplayName: 'CIS Kubernetes Benchmark v1.7.1',
bundleLink: 'https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-k8s-benchmark',
bundleVersion: '202403.0-preview',
bundleDescription: 'Use the CIS Kubernetes Benchmark 1.7.1 policy bundle with Policy Controller to evaluate the compliance of your cluster resources against the CIS Kubernetes Benchmark, which is a set of recommendations for configuring Kubernetes to support a robust security posture.',
controlNumbers: '[5.1.8]',
severity: 'UNSPECIFIED',
description: 'Restricts the access to the bind, escalate, impersonate on roles/clusterroles in `Roles` and `ClusterRoles`.',
remediation: 'The access to roles/clusterroles with bind, escalate, impersonate in Roles and ClusterRoles is restricted. Remove bind, escalate, impersonate rules for clusterroles/roles from your Roles and ClusterRoles. See "RoleBinding and ClusterRoleBinding" for more information: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding',
minimumTemplateLibraryVersion: '1.15.2',
constraintHash: '5cbc41cd74d8b7743eaf498a5bacf7fb6ec734d80e3c244481aac1eb44ebc7b6'
}"
spec:
enforcementAction: dryrun
match:
kinds:
- apiGroups:
- rbac.authorization.k8s.io
kinds:
- Role
- ClusterRole
parameters:
disallowedRules:
- apiGroups:
- ""
resources:
- clusterroles
- roles
verbs:
- bind
- escalate
- impersonate
exemptions:
clusterRoles:
- name: admin
- name: cluster-admin
- name: system:controller:clusterrole-aggregation-controller
- name: config-management-operator
roles:
- name: agent-updater
namespace: gke-connect