kyverno · chipzoller · May 31, 2024 · May 21, 2024 · May 30, 2024
diff --git a/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml b/other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,49 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: restrict-verbs
+policies:
+  -  ../restrict-wildcard-verbs.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: empty-rules
+    kind: ClusterRole
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: empty-rules
+    kind: Role
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: omitted-rules
+    kind: ClusterRole
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: omitted-rules
+    kind: Role
+    result: pass
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-once
+    kind: ClusterRole
+    result: fail
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-once
+    kind: Role
+    result: fail
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-with-another-verb
+    kind: ClusterRole
+    result: fail
+  - policy: restrict-wildcard-verbs
+    rule: wildcard-verbs
+    resource: wildcard-with-another-verb
+    kind: Role
+    result: fail
diff --git a/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml b/other/restrict-wildcard-verbs/.kyverno-test/resource.yaml
@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: empty-rules
+rules:
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: empty-rules
+  namespace: test
+rules:
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: omitted-rules
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: omitted-rules
+  namespace: test
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wildcard-once
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wildcard-once
+  namespace: test
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: wildcard-with-another-verb
+rules:
+- apiGroups: ["my-arbitrary-group"]
+  resources: ["my-resource"]
+  verbs: ["GET", "*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: wildcard-with-another-verb
+  namespace: test
+rules:
+- apiGroups: ["my-arbitrary-group"]
+  resources: ["my-resource"]
+  verbs: ["GET", "*"]
diff --git a/other/restrict-wildcard-verbs/artifacthub-pkg.yml b/other/restrict-wildcard-verbs/artifacthub-pkg.yml
@@ -20,4 +20,4 @@ annotations:
   kyverno/category: "Security, EKS Best Practices"
   kyverno/kubernetesVersion: "1.23"
   kyverno/subject: "Role, ClusterRole, RBAC"
-digest: 3107969ac2e467ebca02514dd6c099b05b9294bc863e8e45b0d58e0ec5c1cbb6
+digest: 6c66139e22ed82c0b6d4756b7653136347fdb9575976e13292fbc33e516fe475
diff --git a/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml b/other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
@@ -32,6 +32,6 @@ spec:
         deny:
           conditions:
             any:
-            - key: "{{ contains(request.object.rules[].verbs[], '*') }}"
+            - key: "{{ contains(to_array(request.object.rules[].verbs[]), '*') }}"
               operator: Equals
-              value: true
+              value: true