Skip to content

Commit

Permalink
Revert "Change cr_whitelist to bash array"
Browse files Browse the repository at this point in the history 
This reverts commit 72449a0.
  • Loading branch information
@dereknola
dereknola committed Nov 6, 2024
1 parent 72449a0 commit 9bdb58e
Showing 1 changed file with 5 additions and 13 deletions.
18 changes: 5 additions & 13 deletions package/cfg/k3s-cis-1.9/policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,23 +58,15 @@ groups:
fi;
done
cr_whitelist=(
"cluster-admin"
"k3s-cloud-controller-manager"
"local-path-provisioner-role"
"system:kube-controller-manager"
"system:kubelet-api-admin"
"system:controller:namespace-controller"
"system:controller:disruption-controller"
"system:controller:generic-garbage-collector"
"system:controller:horizontal-pod-autoscaler"
"system:controller:resourcequota-controller"
)
cr_whitelist="cluster-admin k3s-cloud-controller-manager local-path-provisioner-role"
cr_whitelist="$cr_whitelist system:kube-controller-manager system:kubelet-api-admin system:controller:namespace-controller"
cr_whitelist="$cr_whitelist system:controller:disruption-controller system:controller:generic-garbage-collector"
cr_whitelist="$cr_whitelist system:controller:horizontal-pod-autoscaler system:controller:resourcequota-controller"
# Check ClusterRoles
kubectl get clusterroles -o custom-columns=CLUSTERROLE_NAME:.metadata.name --no-headers | while read -r clusterrole_name
do
clusterrole_rules=$(kubectl get clusterrole "${clusterrole_name}" -o=json | jq -c '.rules')
if echo ${cr_whitelist[@]} | grep -q "${clusterrole_name}"; then
if echo "${cr_whitelist}" | grep -q "${clusterrole_name}"; then
printf "**clusterrole_name: %-50s is_whitelist: true is_compliant: true\n" "${clusterrole_name}"
elif echo "${clusterrole_rules}" | grep -q "\[\"\*\"\]"; then
echo "**clusterrole_name: ${clusterrole_name} clusterrole_rules: ${clusterrole_rules} is_compliant: false"
Expand Down

0 comments on commit 9bdb58e

Please sign in to comment.