Skip to content

Commit

Permalink
Change cr_whitelist to bash array
Browse files Browse the repository at this point in the history 
Signed-off-by: Derek Nola <[email protected]>
  • Loading branch information
@dereknola
dereknola committed Nov 5, 2024
1 parent 5ccabca commit 72449a0
Showing 1 changed file with 13 additions and 5 deletions.
18 changes: 13 additions & 5 deletions package/cfg/k3s-cis-1.9/policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,15 +58,23 @@ groups:
fi;
done
cr_whitelist="cluster-admin k3s-cloud-controller-manager local-path-provisioner-role"
cr_whitelist="$cr_whitelist system:kube-controller-manager system:kubelet-api-admin system:controller:namespace-controller"
cr_whitelist="$cr_whitelist system:controller:disruption-controller system:controller:generic-garbage-collector"
cr_whitelist="$cr_whitelist system:controller:horizontal-pod-autoscaler system:controller:resourcequota-controller"
cr_whitelist=(
"cluster-admin"
"k3s-cloud-controller-manager"
"local-path-provisioner-role"
"system:kube-controller-manager"
"system:kubelet-api-admin"
"system:controller:namespace-controller"
"system:controller:disruption-controller"
"system:controller:generic-garbage-collector"
"system:controller:horizontal-pod-autoscaler"
"system:controller:resourcequota-controller"
)
# Check ClusterRoles
kubectl get clusterroles -o custom-columns=CLUSTERROLE_NAME:.metadata.name --no-headers | while read -r clusterrole_name
do
clusterrole_rules=$(kubectl get clusterrole "${clusterrole_name}" -o=json | jq -c '.rules')
if echo "${cr_whitelist}" | grep -q "${clusterrole_name}"; then
if echo ${cr_whitelist[@]} | grep -q "${clusterrole_name}"; then
printf "**clusterrole_name: %-50s is_whitelist: true is_compliant: true\n" "${clusterrole_name}"
elif echo "${clusterrole_rules}" | grep -q "\[\"\*\"\]"; then
echo "**clusterrole_name: ${clusterrole_name} clusterrole_rules: ${clusterrole_rules} is_compliant: false"
Expand Down

0 comments on commit 72449a0

Please sign in to comment.