From 3655730032665758611d522cab099b74434cc823 Mon Sep 17 00:00:00 2001
From: Daniel Reed <daniel.reed@hpe.com>
Date: Tue, 21 May 2024 11:18:39 -0600
Subject: [PATCH 1/2] update restrict-wildcard-verbs to handle null/empty rules

Signed-off-by: Daniel Reed <daniel.reed@hpe.com>
---
 .../.kyverno-test/kyverno-test.yaml           | 49 +++++++++++++++
 .../.kyverno-test/resource.yaml               | 61 +++++++++++++++++++
 .../restrict-wildcard-verbs.yaml              |  4 +-
 3 files changed, 112 insertions(+), 2 deletions(-)
 create mode 100644 other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml
 create mode 100644 other/restrict-wildcard-verbs/.kyverno-test/resource.yaml

diff --git a/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml b/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml
new file mode 100644
index 000000000..c3b046c4c
--- /dev/null
+++ b/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,49 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-verbs
+policies:
+  -  ../restrict-wildcard-verbs.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: empty-rules
+    kind: ClusterRole
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: empty-rules
+    kind: Role
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: omitted-rules
+    kind: ClusterRole
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: omitted-rules
+    kind: Role
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-once
+    kind: ClusterRole
+    result: fail
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-once
+    kind: Role
+    result: fail
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-with-another-verb
+    kind: ClusterRole
+    result: fail
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-with-another-verb
+    kind: Role
+    result: fail
diff --git a/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml b/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml
new file mode 100644
index 000000000..a27a73479
--- /dev/null
+++ b/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml
@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: empty-rules
+rules:
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: empty-rules
+  namespace: test
+rules:
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: omitted-rules
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: omitted-rules
+  namespace: test
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wildcard-once
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wildcard-once
+  namespace: test
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wildcard-with-another-verb
+rules:
+- apiGroups: ["my-arbitrary-group"]
+  resources: ["my-resource"]
+  verbs: ["GET", "*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wildcard-with-another-verb
+  namespace: test
+rules:
+- apiGroups: ["my-arbitrary-group"]
+  resources: ["my-resource"]
+  verbs: ["GET", "*"]
diff --git a/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml b/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
index 3bad86f7e..4d35bb57b 100644
--- a/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
+++ b/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
@@ -32,6 +32,6 @@ spec:
         deny:
           conditions:
             any:
-            - key: "{{ contains(request.object.rules[].verbs[], '*') }}"
+            - key: "{{ contains(to_array(request.object.rules[].verbs[]), '*') }}"
               operator: Equals
-              value: true
\ No newline at end of file
+              value: true

From edcce3aaf72225d8f3d0cdcc6b9f83b2cf5f623b Mon Sep 17 00:00:00 2001
From: Daniel Reed <daniel.reed@hpe.com>
Date: Thu, 30 May 2024 10:01:15 -0600
Subject: [PATCH 2/2] update digest in artifacthub-pkg.yml

Signed-off-by: Daniel Reed <daniel.reed@hpe.com>
---
 other/restrict-wildcard-verbs/artifacthub-pkg.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/other/restrict-wildcard-verbs/artifacthub-pkg.yml b/other/restrict-wildcard-verbs/artifacthub-pkg.yml
index 096591d1e..362adcc55 100644
--- a/other/restrict-wildcard-verbs/artifacthub-pkg.yml
+++ b/other/restrict-wildcard-verbs/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
   kyverno/category: "Security, EKS Best Practices"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Role, ClusterRole, RBAC"
-digest: 3107969ac2e467ebca02514dd6c099b05b9294bc863e8e45b0d58e0ec5c1cbb6
+digest: 6c66139e22ed82c0b6d4756b7653136347fdb9575976e13292fbc33e516fe475