diff --git a/pkg/kubehound/risk/engine.go b/pkg/kubehound/risk/engine.go index a716f1ece..9494701e3 100644 --- a/pkg/kubehound/risk/engine.go +++ b/pkg/kubehound/risk/engine.go @@ -40,7 +40,7 @@ func newEngine() (*RiskEngine, error) { func (ra *RiskEngine) IsCritical(model any) bool { switch o := model.(type) { case *store.PermissionSet: - if ra.roleMap[o.Name] { + if ra.roleMap[o.RoleName] && !o.IsNamespaced { return true } } diff --git a/pkg/kubehound/risk/rules.go b/pkg/kubehound/risk/rules.go index 2f92d3c9f..c3c0f2c3c 100644 --- a/pkg/kubehound/risk/rules.go +++ b/pkg/kubehound/risk/rules.go @@ -57,7 +57,6 @@ var CriticalRoleMap = map[string]bool{ "system:kube-scheduler": true, "system:kubelet-api-admin": true, "system:monitoring": true, - "system:node": true, "system:node-bootstrapper": true, "system:node-problem-detector": true, "system:node-proxier": true, diff --git a/test/system/graph_vertex_test.go b/test/system/graph_vertex_test.go index edd9dcfd7..ae7788ee3 100644 --- a/test/system/graph_vertex_test.go +++ b/test/system/graph_vertex_test.go @@ -273,6 +273,26 @@ func (suite *VertexTestSuite) TestVertexPerrmissionSet() { suite.Subset(present, expected) } +func (suite *VertexTestSuite) TestVertexCritical() { + results, err := suite.g.V(). + HasLabel(vertex.PermissionSetLabel). + Has("critical", true). + Values("role"). + ToList() + + suite.NoError(err) + suite.GreaterOrEqual(len(results), 1) + + present := suite.resultsToStringArray(results) + expected := []string{ + "cluster-admin", + "system:node-bootstrapper", + "system:kube-scheduler", + } + + suite.Subset(present, expected) +} + func (suite *VertexTestSuite) TestVertexVolume() { results, err := suite.g.V().HasLabel(vertex.VolumeLabel).ElementMap().ToList() suite.NoError(err)