Details
-
Bug
-
Resolution: Not a Bug
-
Critical
-
None
-
4.12.z
-
None
-
Moderate
-
No
-
OPECO 233
-
1
-
Rejected
-
False
-
-
OCP Eng Mgmt
-
Customer Escalated
Description
Description of problem:
OpenShift compliance rule is failing "ocp4-cis-rbac-wildcard-use " because operatorgroup have one clusterrole which using wildcard permission means violating the CIS benchmark.
Clusterrole with a wildcard -
~~~
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2022-03-29T18:46:01Z"
labels:
olm.opgroup.permissions/aggregate-to-29f560e63c769514-admin: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: namespacescopes.operator.ibm.com-v1-admin <--------- Name comes from the CRD name + "admin"
ownerReferences:
apiVersion: apiextensions.k8s.io/v1
blockOwnerDeletion: false
controller: false
kind: CustomResourceDefinition
name: namespacescopes.operator.ibm.com
uid: 381095c3-fdea-4009-8eba-686f276b7ac5
resourceVersion: "19255855"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/namespacescopes.operator.ibm.com-v1-admin
uid: 90bef156-0c35-4edd-86d3-46f12259b10c
rules:
apiGroups:
operator.ibm.com
resources:
namespacescopes
verbs:
'*' <----------- This is the issue
~~~~
I found the github issue for same, Are you targeting this issue in OpenSHift ?
https://github.com/operator-framework/operator-lifecycle-manager/issues/2727