fix(kubescape): anchor the remaining literal CSE name matchers#2479
Conversation
Kubescape matches ClusterSecurityException resource names as unanchored regexes; exec-into-container-rbac and wildcard-rbac carried the last 10 unanchored literals (secret-reader-rbac is fixed on its own PR). The Headlamp mirror ConfigMap was anchored all along. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughCompact metadata: This PR modifies two Kubescape ClusterSecurityException YAML manifests, converting Changes
Sequence Diagram(s)Not applicable — this change is a configuration-only update to regex match patterns and does not involve a code execution flow. Related issues: No related issues linked in the provided information. Related PRs: No related PRs linked in the provided information. Suggested labels: kubernetes, security, configuration Suggested reviewers: No specific reviewer information available. Poem: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
|
🎉 This PR is included in version 1.98.5 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Why
Kubescape matches security-exception resource names as unanchored regexes, so a literal like
flux-operatorcan silently suppress findings on future RBAC objects whose names merely contain it — quietly widening an exception's blast radius.What
Anchors the last 10 literal matchers (in the exec-into-container and wildcard-RBAC exceptions) with
^…$, matching what the Headlamp mirror already does. Same fix CodeRabbit flagged as Major on the secret-reader exception in #2442; no behaviour change for the intended matches.Related to #2441.
🤖 Generated with Claude Code