Set the automountServiceAccountToken to ignore, hasPrefix and hasSuffix functions are available in the go template, exempt the prefix system: instead of indifidual entries for RBAC checks (#871)

* `hasPrefix` and `hasSuffix` functions are available in the go template, exempt the prefix `system:` instead of indifidual entries for RBAC checks

* The RBAC checks `clusterrolebindingClusterAdmin` and `clusterrolebindingPodExecAttach` now exempt bindings that start with `system:`, instead of listing explicit strings.
* The RBAC check `clusterrolePodExecAttach` now exempt ClusterRoles that start with `system:`, instead of listing explicit strings.

* Update documentation to include additional Go template functions

* Set the `automountServiceAccountToken` check to ignore by default

Author: ivanfetch-wt

checks/clusterrolePodExecAttach.yaml

@@ -18,9 +18,8 @@ schemaString: |
                 - const: 'admin'
                 - const: "cluster-admin"
                 - const: "edit"
-                - const: "system:aggregate-to-edit"
-                - const: "system:controller:generic-garbage-collector"
-                - const: "system:controller:namespace-controller"
+                - pattern: '^system:'
+                - const: "gce:podsecuritypolicy:calico-sa"
     - properties:
         rules:
           type: array

checks/clusterrolebindingClusterAdmin.yaml

@@ -17,8 +17,8 @@ schemaString: |
               type: string
               anyOf:
                 - const: "cluster-admin"
-                - const: "system:controller:generic-garbage-collector"
-                - const: "system:controller:namespace-controller"
+                - pattern: '^system:'
+                - const: "gce:podsecuritypolicy:calico-sa"
     - required: ["roleRef"]
       properties:
         roleRef:
@@ -39,7 +39,7 @@ additionalSchemaStrings:
   rbac.authorization.k8s.io/ClusterRole: |
     type: object
     # Do not alert on default ClusterRoleBindings.
-    {{ if and (ne .metadata.name "cluster-admin") (ne .metadata.name "system:controller:generic-garbage-collector") (ne .metadata.name "system:controller:namespace-controller") }}
+    {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
     required: ["metadata", "rules"]
     allOf:
       - properties:

checks/clusterrolebindingPodExecAttach.yaml

@@ -17,8 +17,8 @@ schemaString: |
               type: string
               anyOf:
                 - const: "cluster-admin"
-                - const: "system:controller:generic-garbage-collector"
-                - const: "system:controller:namespace-controller"
+                - pattern: '^system:'
+                - const: "gce:podsecuritypolicy:calico-sa"
     - required: ["roleRef"]
       properties:
         roleRef:
@@ -37,7 +37,7 @@ additionalSchemaStrings:
   rbac.authorization.k8s.io/ClusterRole: |
     type: object
     # Do not alert on default ClusterRoleBindings.
-    {{ if and (ne .metadata.name "cluster-admin") (ne .metadata.name "system:controller:generic-garbage-collector") (ne .metadata.name "system:controller:namespace-controller") }}
+    {{ if and (ne .metadata.name "cluster-admin") (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
     required: ["metadata", "rules"]
     allOf:
       - properties:

docs/customization/custom-checks.md

@@ -167,6 +167,18 @@ schemaString: |
               {{ end }}
 ```
 
+### Additional Go Template Functions
+
+These functions are also available in the GO template.
+
+* [hasPrefix](https://pkg.go.dev/strings#HasPrefix) - for example, `hasPrefix "string" "prefix"`
+* [hasSuffix](https://pkg.go.dev/strings#HasSuffix) - for example, `hasSuffix "string" "suffix"`
+
+For example, the `hasPrefix` function can be used in a template to determine whether a resource name starts with `system:`
+```
+{{ if hasPrefix .metadata.name "system:" }}
+```
+
 ## Multi-Resource Checks
 You can write checks that span multiple resources. This is helpful for ensuring e.g.
 that every Deployment has a PDB or an HPA associated with it.

examples/config.yaml

@@ -16,7 +16,7 @@ checks:
   memoryRequestsMissing: warning
   memoryLimitsMissing: warning
   # security
-  automountServiceAccountToken: warning
+  automountServiceAccountToken: ignore
   hostIPCSet: danger
   hostPIDSet: danger
   linuxHardening: warning

pkg/config/schema.go

@@ -223,7 +223,10 @@ func (check SchemaCheck) TemplateForResource(res interface{}) (*SchemaCheck, err
 	newCheck.AdditionalSchemaStrings = map[string]string{}
 
 	for kind, tmplString := range templateStrings {
-		tmpl := template.New(newCheck.ID)
+		tmpl := template.New(newCheck.ID).Funcs(template.FuncMap{
+			"hasPrefix": strings.HasPrefix,
+			"hasSuffix": strings.HasSuffix,
+		})
 		tmpl, err := tmpl.Parse(tmplString)
 		if err != nil {
 			return nil, err

test/checks/clusterrolePodExecAttach/success.gce_calico_clusterrole.yaml

@@ -0,0 +1,9 @@
+# This succeeds because the clusterRole is an exempt name `gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gce:podsecuritypolicy:calico-sa
+rules:
+  - apiGroups: [ "*" ]
+    resources: [ "*" ]
+    verbs: [ "*" ]

test/checks/clusterrolePodExecAttach/success.system_prefix.yaml

@@ -0,0 +1,9 @@
+# This succeeds because the clusterRole has an exempt `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:test
+rules:
+  - apiGroups: [ "*" ]
+    resources: [ "*" ]
+    verbs: [ "*" ]

test/checks/clusterrolebindingClusterAdmin/failure.binding_to_system_prefix.yaml

@@ -0,0 +1,35 @@
+# This fails because the clusterRoleBinding references a ClusterRole that uses all wildcards which happens to have a `system:` prefix.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # The system: prefix does not cause this test to fail, but this test
+  # avoids incorectly ignoring user-created bindings to system ClusterRoles.
+  name: system:test
+rules:
+  - apiGroups: [ "*" ]
+    resources: [ "*" ]
+    verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: test-binding-to-system-prefix-clusterrole
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: not-used
+  namespace: test
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ list ]

test/checks/clusterrolebindingClusterAdmin/success.gce_calico_binding.yaml

@@ -0,0 +1,33 @@
+# This succeeds because the clusterRoleBinding is an exempt name `gce:podsecuritypolicy:calico-sa`
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: test
+rules:
+  - apiGroups: [ "*" ]
+    resources: [ "*" ]
+    verbs: [ "*" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: gce:podsecuritypolicy:calico-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: test
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: testuser
+---
+# This Role exists so there is at least one Role for the additionalSchema to find.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: not-used
+  namespace: test
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ list ]