From bc195ce0f9a501c77fd30a9edc90bf22320fed7c Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sat, 4 Jul 2026 23:43:10 +0200 Subject: [PATCH] fix(kubescape): anchor the remaining literal CSE name matchers Kubescape matches ClusterSecurityException resource names as unanchored regexes; exec-into-container-rbac and wildcard-rbac carried the last 10 unanchored literals (secret-reader-rbac is fixed on its own PR). The Headlamp mirror ConfigMap was anchored all along. Co-Authored-By: Claude Fable 5 --- .../exec-into-container-rbac.yaml | 12 ++++++------ .../cluster-security-exceptions/wildcard-rbac.yaml | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml b/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml index f3da1f097..12360c2f0 100644 --- a/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml +++ b/k8s/bases/infrastructure/cluster-security-exceptions/exec-into-container-rbac.yaml @@ -54,22 +54,22 @@ spec: # Velero — namespaced binding + Role, and the cluster-admin CRB - apiGroup: rbac.authorization.k8s.io kind: RoleBinding - name: velero-server + name: ^velero-server$ - apiGroup: rbac.authorization.k8s.io kind: Role - name: velero-server + name: ^velero-server$ - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: velero-server + name: ^velero-server$ # CloudNativePG — CRB whose ClusterRole explicitly grants pods/exec - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: cloudnative-pg + name: ^cloudnative-pg$ # Flux kustomize-/helm-controller — cluster-admin via cluster-reconciler CRB - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: cluster-reconciler-flux-system + name: ^cluster-reconciler-flux-system$ # Flux operator — cluster-admin CRB - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: flux-operator + name: ^flux-operator$ diff --git a/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml b/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml index a9f4d3527..7efba81a4 100644 --- a/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml +++ b/k8s/bases/infrastructure/cluster-security-exceptions/wildcard-rbac.yaml @@ -41,13 +41,13 @@ spec: resources: - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: cluster-reconciler-flux-system + name: ^cluster-reconciler-flux-system$ - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: flux-operator + name: ^flux-operator$ - apiGroup: rbac.authorization.k8s.io kind: ClusterRoleBinding - name: velero-server + name: ^velero-server$ - apiGroup: rbac.authorization.k8s.io kind: Role - name: velero-server + name: ^velero-server$