-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Listing secret not capturing as a risky rule #10
Comments
Interesting, I will try to restore it on my machine and update you. But I have two thoughts:
|
I am using openshift, where I can set my namespace ( Q. 2 -Ans. Q. 1-Ans.
|
As because its not capturing as a risky rule, associated serviceaccount mapped with POD also not showing as a
|
I understand. |
|
Please check the code , looks like its working with |
Any update? |
The `- kind: Role` line of `risky-impersonate-groups was with one space which ignored the `risky-list-secrets` from loading.
Please check now. |
By the way, can you add me on twitter @g3rzi ? I would like to advise with you on other stuff related to Kubernetes. |
OK, will add. But I don't think issue was in your yaml, u fixed in your code. Now with |
There was an issue with the YAML which provides the roles you want it to capture. There was a wrong indent with one of the roles after the list secrets role which ignored the list secrets in the YAML when I load it. I will try to restore the |
If you saw my RBAC yaml top of discussion there was no issues. True that your yaml was wrong. |
I didn't speak about your RBAC yaml. I spoke about the |
Oh! Sorry. I am very sorry. |
Its OK, don't worry :) |
Let me know once it fix so I will close, it's a long discussion. :) |
I am using openshift, where I can set my namespace (oc project namespace) So no need to specify namespace, its will take the namespace automatically. But it will NOT take default namespace. |
@prasenforu , Lines 216 to 227 in 35d6c04
With this:
I added two printings. |
When settings service account without namespace inside a RoleBinding it will automatically get the RoleBinding's namespace. Added support for this case.
@prasenforu I found the bug with the namespace on |
Thanks 👍 |
@prasenforu did you have time to check it? |
No, man. Did not get a chance to check bcoz of Covid. Stay safe & take care. |
Hi @prasenforu |
Doing good, thanks. Sorry didn't get a chance to look. Will do end of coming week. |
Checked in old openshift version, looks OK, need to test in new openshift version (unfortunately I do not have any environment). Will update you if I replicate in new Openshift version, expected it will work :) Anyway thanks for notification. |
Great to hear :) |
My RBAC (ServiceAccount,Role & RoleBinding) as follows, which has a role of listing secrets.
But kubiscan -rr does not capturing/show as a risky rule.
Not sure what is the criteria of risky rule?
The text was updated successfully, but these errors were encountered: