-
Notifications
You must be signed in to change notification settings - Fork 4
fix(kubescape): make C-0015 secret-list exceptions take effect #2442
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
devantler
merged 6 commits into
main
from
claude/kubescape-c0015-secret-reader-exception
Jul 5, 2026
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
ae42c3f
fix(kubescape): make C-0015 secret-list exceptions take effect
devantler 9ee0e9e
Merge remote-tracking branch 'origin/main' into claude/kubescape-c001β¦
devantler e602406
fix(kubescape): match Crossplane provider revision hashes with a regex
devantler bfe0171
fix(kubescape): match Crossplane provider revision hashes with a regeβ¦
devantler 8e9fc59
fix(kubescape): anchor the literal secret-reader CSE name matchers
devantler 95d2b0e
Merge remote-tracking branch 'origin/main' into claude/kubescape-c001β¦
devantler File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
269 changes: 269 additions & 0 deletions
269
k8s/bases/infrastructure/cluster-security-exceptions/secret-reader-rbac.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,269 @@ | ||
| --- | ||
| # Secret-reader RBAC exception (Kubescape C-0015, "List Kubernetes secrets") for | ||
| # the controllers, operators and databases that legitimately read Secrets BY | ||
| # DESIGN. | ||
| # | ||
| # Why this is a separate CR and not a `namespaceSelector` entry in | ||
| # controller-rbac.yaml: a namespaceSelector does NOT suppress C-0015. Like | ||
| # C-0187 (see wildcard-rbac.yaml), C-0015 is an RBAC control β Kubescape attaches | ||
| # the finding to the RBAC object graph (the ServiceAccount subject plus its | ||
| # Role/ClusterRole and RoleBinding/ClusterRoleBinding), not to a namespaced | ||
| # workload. The kubescape CRD exceptions getter turns a namespaceSelector into a | ||
| # bare `{namespace: X}` designator, and the suppressible objects here are almost | ||
| # all cluster-scoped (a ClusterRole/ClusterRoleBinding has no namespace), so the | ||
| # namespace never matches and the exception is inert. Proven live: origin-ca-issuer | ||
| # is in controller-rbac.yaml's selected `cert-manager` namespace yet still fails | ||
| # C-0015. Matching the specific RBAC objects by kind+name is the mechanism that | ||
| # actually works (opa-utils exceptionprocessor.go re-wraps each related object and | ||
| # compares its top-level kind+name) β the same pattern wildcard-rbac.yaml uses. | ||
| # | ||
| # Match the permission-bearer (the Role/ClusterRole that grants the secrets verb), | ||
| # and β for the cluster-admin holders whose secret access comes from the shared | ||
| # `cluster-admin` ClusterRole β the specific ClusterRoleBinding (as wildcard-rbac.yaml | ||
| # does), so a NEW cluster-admin binding still trips C-0015. | ||
| # | ||
| # Deliberately NOT exempted (kept flagged so the control keeps doing its job): | ||
| # - The unused tenant SAs `wedding-app` and `ascoachingogvaner`, bound to the | ||
| # broad built-in `ClusterRole/edit`: their pods run as the `default` SA, so | ||
| # these edit-bound SAs are dormant namespace-wide secret grants = genuine | ||
| # over-privilege to remove, not to silence. | ||
| # - `crossview-sa` (`crossview-role` grants `*/* get,list,watch`, i.e. reads all | ||
| # Secret contents for a topology viewer) β tighten upstream in the crossview | ||
| # chart, don't exempt. | ||
| # - The break-glass admin groups `system:masters` (cluster-admin) and | ||
| # `crossplane:masters` (crossplane-admin): surfacing the highest-privilege | ||
| # identities is the control working as intended. | ||
| # - `longhorn-support-bundle` (an on-demand diagnostic SA bound to cluster-admin) | ||
| # β same treatment as in wildcard-rbac.yaml. | ||
| # | ||
| # Keep this list and the Headlamp mirror | ||
| # (controllers/kubescape/config-map-headlamp-exceptions.yaml) in sync by hand. | ||
| apiVersion: kubescape.io/v1beta1 | ||
| kind: ClusterSecurityException | ||
| metadata: | ||
| name: secret-reader-rbac | ||
| spec: | ||
| reason: >- | ||
| Controllers, operators and databases that read Kubernetes Secrets by design | ||
| (cert-manager, External Secrets, CloudNativePG + Barman backups, Crossplane | ||
| and its providers, Kyverno, Flux/tofu, KEDA, Longhorn, Cilium, the Kubescape | ||
| operator, the built-in kube-controller-manager controllers, and the tenant | ||
| databases). Matched by the specific RBAC object (Role/ClusterRole, or the | ||
| binding for cluster-admin holders) so a new/accidental secret-reader | ||
| elsewhere still trips C-0015. Over-privileged or admin identities | ||
| (unused tenant `edit` SAs, crossview's wildcard read, the cluster-admin / | ||
| crossplane admin groups) are intentionally left flagged. | ||
| posture: | ||
| - controlID: C-0015 | ||
| action: ignore | ||
| match: | ||
| resources: | ||
| # Flux GitOps & tofu-controller | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^crd-controller-flux-system$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^tf-runner-role$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^tofu-cluster-reconciler-role$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^tofu-manager-role$ | ||
| # Cluster-admin holders (Flux reconcilers, Velero) β matched by binding, mirroring wildcard-rbac.yaml | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRoleBinding | ||
| name: ^cluster-reconciler-flux-system$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRoleBinding | ||
| name: ^flux-operator$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRoleBinding | ||
| name: ^velero-server$ | ||
| # cert-manager (TLS/CA secret management) | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cert-manager-cainjector$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cert-manager-controller-certificates$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cert-manager-controller-challenges$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cert-manager-controller-clusterissuers$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cert-manager-controller-issuers$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cert-manager-controller-orders$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^origin-ca-issuer-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^simply-dns-webhook:secret-access$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^cert-manager-webhook:dynamic-serving$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^trust-manager$ | ||
| # CloudNativePG operator + tenant databases & Barman backups | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cloudnative-pg$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^plugin-barman-cloud$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^backstage-db$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^coroot-db$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^coroot-db-barman-cloud$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^umami-db$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^umami-db-barman-cloud$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^wedding-db$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^wedding-db-barman-cloud$ | ||
| # External Secrets Operator | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^external-secrets-cert-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^external-secrets-controller$ | ||
| # Crossplane + upjet providers (reconcile provider-credential Secrets) | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^crossplane$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^crossplane:provider:provider-aws-iam-[0-9a-f]+:system$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^crossplane:provider:provider-family-aws-[0-9a-f]+:system$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^crossplane:provider:provider-upjet-github-[0-9a-f]+:system$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^crossplane:provider:provider-upjet-unifi-[0-9a-f]+:system$ | ||
| # Kyverno policy engine | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^kyverno:admission-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^kyverno:background-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^kyverno:cleanup-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^kyverno:reports-controller$ | ||
| # Observability & monitoring | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^coroot-cluster-agent$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^coroot-operator$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^kube-prometheus-stack-grafana-clusterrole$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^kube-prometheus-stack-kube-state-metrics$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^kube-prometheus-stack-operator$ | ||
| # Storage (Longhorn, Hetzner CSI) | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^hcloud-csi-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^longhorn-role$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^longhorn$ | ||
| # Cilium CNI & Gateway (TLS secrets) | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^cilium-operator$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^cilium-gateway-secrets$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^cilium-tlsinterception-secrets$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^hubble-generate-certs$ | ||
| # KEDA autoscaler | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^keda-operator$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^keda-operator-certs$ | ||
| # Kubernetes control-plane (kube-controller-manager) built-in controllers | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^system:controller:generic-garbage-collector$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^system:controller:namespace-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^system:controller:resourcequota-controller$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^system:kube-controller-manager$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^system:controller:bootstrap-signer$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^system:controller:token-cleaner$ | ||
| # Kubescape operator/scanner | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^kubescape$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^operator$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^operator$ | ||
| # Other platform controllers (flagger, reloader, ksail-operator, OpenBao) | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^flagger$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^ksail-operator$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: ^reloader-reloader-role$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^vault-config$ | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Role | ||
| name: ^velero-server$ | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.