Instance of k8sdisallowanonymous with no parameters yields no violations
Closed this issue · 1 comments
julianKatz commented
With this template and the following constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: avoid-system-bindings
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["ClusterRoleBinding"]
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["RoleBinding"]
The following object does not generate a violation in my suite.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test-crole
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
If I then update the constraint to have an empty allowedRoles
:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
name: avoid-system-bindings
spec:
match:
kinds:
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["ClusterRoleBinding"]
- apiGroups: ["rbac.authorization.k8s.io"]
kinds: ["RoleBinding"]
parameters:
allowedRoles: []
It generates a violation. This should be a no-op, so it seems like the logic in the template has a bug.
apeabody commented
@julianKatz Taking a super quick look: