-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CKV2_K8S_{1-5} do not check apiGroups
of ClusterRoleBindings
#6765
Comments
@m-wynn Hi, I tested this Checkov Version 3.2.250. The example file you provided above does trigger a number of K8s Policies, not sure if this was different in even earlier version. Anyhow, this is what I'm seeing with 3.2.250:
|
Yes, this passes on the .250 version but not the most recent |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
CKV2_K8S_1-5 check if ClusterRoleBindings have access to read all secrets, impersonate permissions, set nodes/proxy or pods/exec by checking for wildcards, etc. However, they don't check apiGroups. If you want to give your ServiceAccount . within your API group, that should only trigger CKV_K8S_49 (minimize wildcard use in Roles and ClusterRoles), not these specific rules.
I believe this started on a fairly recent version of Checkov. I saw it on 3.2.257, but I don't remember seeing it on 3.2.250.
Examples
The Prometheus-Adapter Helm Chart also runs into this issue.
Version (please complete the following information):
The text was updated successfully, but these errors were encountered: