forked from yuvalavra/rbac-police
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathimpersonate.rego
33 lines (29 loc) · 933 Bytes
/
impersonate.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package policy
import data.police_builtins as pb
import future.keywords.in
describe[{"desc": desc, "severity": severity}] {
desc := "Identities that can impersonate users, groups or other serviceaccounts can escalate privileges by abusing the permissions of the impersonated identity"
severity := "Critical"
}
targets := {"serviceAccounts", "nodes", "users", "groups"}
evaluateRoles(roles, owner) {
rule := roles[_].rules[_]
pb.valueOrWildcard(rule.verbs, "impersonate")
impersonationResources(rule.apiGroups, rule.resources)
}
impersonationResources(apiGroups, resources) {
pb.valueOrWildcard(apiGroups, "")
usersGroupsSasOrWildcard(resources)
} {
pb.valueOrWildcard(apiGroups, "authentication.k8s.io")
pb.valueOrWildcard(resources, "userextras")
}
usersGroupsSasOrWildcard(resources) {
"users" in resources
} {
"groups" in resources
} {
"serviceaccounts" in resources
} {
pb.hasWildcard(resources)
}