HOTFIX: fix critical assets flag in risk engine (#93)

pkg/kubehound/risk/engine.go

@@ -40,7 +40,7 @@ func newEngine() (*RiskEngine, error) {
 func (ra *RiskEngine) IsCritical(model any) bool {
 	switch o := model.(type) {
 	case *store.PermissionSet:
-		if ra.roleMap[o.Name] {
+		if ra.roleMap[o.RoleName] && !o.IsNamespaced {
 			return true
 		}
 	}

pkg/kubehound/risk/rules.go

@@ -57,7 +57,6 @@ var CriticalRoleMap = map[string]bool{
 	"system:kube-scheduler":                                                true,
 	"system:kubelet-api-admin":                                             true,
 	"system:monitoring":                                                    true,
-	"system:node":                                                          true,
 	"system:node-bootstrapper":                                             true,
 	"system:node-problem-detector":                                         true,
 	"system:node-proxier":                                                  true,

test/system/graph_vertex_test.go

@@ -273,6 +273,26 @@ func (suite *VertexTestSuite) TestVertexPerrmissionSet() {
 	suite.Subset(present, expected)
 }
 
+func (suite *VertexTestSuite) TestVertexCritical() {
+	results, err := suite.g.V().
+		HasLabel(vertex.PermissionSetLabel).
+		Has("critical", true).
+		Values("role").
+		ToList()
+
+	suite.NoError(err)
+	suite.GreaterOrEqual(len(results), 1)
+
+	present := suite.resultsToStringArray(results)
+	expected := []string{
+		"cluster-admin",
+		"system:node-bootstrapper",
+		"system:kube-scheduler",
+	}
+
+	suite.Subset(present, expected)
+}
+
 func (suite *VertexTestSuite) TestVertexVolume() {
 	results, err := suite.g.V().HasLabel(vertex.VolumeLabel).ElementMap().ToList()
 	suite.NoError(err)