From 9b5438d8642f7535a192d416e38aeba8316a2566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Martini?=
 <greg5813@users.noreply.github.com>
Date: Wed, 2 Oct 2024 18:43:24 +0200
Subject: [PATCH] Fix: rolebindingRolePodExecAttach check (#1070)

* Fix: rolebindingRolePodExecAttach check

Fix the case of a RoleBinding that points to a ClusterRole.
In that case, we ignore the RoleBinding since it will be evaluated by the rolebindingClusterRolePodExecAttach check.

* add tests for role-binding that uses a cluster-role binding

---------

Co-authored-by: Vitor Vezani <vitor.vezani@fairwinds.com>
---
 .../checks/rolebindingRolePodExecAttach.yaml  |  2 +-
 ...ess.role_binding_cluster_role_binding.yaml | 22 +++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 test/checks/rolebindingRolePodExecAttach/success.role_binding_cluster_role_binding.yaml

diff --git a/pkg/config/checks/rolebindingRolePodExecAttach.yaml b/pkg/config/checks/rolebindingRolePodExecAttach.yaml
index c5b207747..a098713d2 100644
--- a/pkg/config/checks/rolebindingRolePodExecAttach.yaml
+++ b/pkg/config/checks/rolebindingRolePodExecAttach.yaml
@@ -17,7 +17,7 @@ schemaString: |
               const: "rbac.authorization.k8s.io"
             kind:
               type: string
-              const: "Role"
+              const: "ClusterRole"
     # Do not alert on default RoleBindings.
     - required: ["metadata"]
       properties:
diff --git a/test/checks/rolebindingRolePodExecAttach/success.role_binding_cluster_role_binding.yaml b/test/checks/rolebindingRolePodExecAttach/success.role_binding_cluster_role_binding.yaml
new file mode 100644
index 000000000..8e61d5369
--- /dev/null
+++ b/test/checks/rolebindingRolePodExecAttach/success.role_binding_cluster_role_binding.yaml
@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: all-operations
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: all-operations
+  namespace: my-namespace
+subjects:
+  - kind: User
+    name: example-user
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: all-operations
+  apiGroup: rbac.authorization.k8s.io