From 3f201c6ca06b896860b62031d1b665f77868775c Mon Sep 17 00:00:00 2001
From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com>
Date: Fri, 6 Sep 2024 12:23:15 -0700
Subject: [PATCH] Create restrict-binding-privileged-role

---
 .../restrict-binding-privileged-role          | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 rbac-best-practices/restrict-binding-privileged-role

diff --git a/rbac-best-practices/restrict-binding-privileged-role b/rbac-best-practices/restrict-binding-privileged-role
new file mode 100644
index 00000000..45068a94
--- /dev/null
+++ b/rbac-best-practices/restrict-binding-privileged-role
@@ -0,0 +1,55 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-binding-privileged-role
+  annotations:
+    policies.kyverno.io/title: Restrict Binding to a Privileged Role
+    policies.kyverno.io/category: Security, EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ClusterRole, Role, RBAC
+    kyverno.io/kyverno-version: 1.7.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/description: >-
+      Binding to Wildcards ('*') in resourcesName when allowing creation of clusterole should not be allowed. 
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: restrict-binding-privileged-role
+    match:
+      any:
+      - resources:
+          kinds:
+            - Role
+            - ClusterRole
+    preconditions:
+      all:
+      - key: "{{ request.object.rules[].apiGroups[] }}"
+        operator: AnyIn
+        value: rbac.authorization.k8s.io
+      - key: "{{ request.object.rules[].resources[] }}"
+        operator: AnyIn
+        value:
+        - clusterrolebindings
+        - rolebindings
+      - key: "{{ request.object.rules[].verbs[] }}"
+        operator: AnyIn
+        value: create
+    validate:
+      deny:
+        conditions:
+          all:
+          - key: "{{ request.object.rules[].apiGroups[] }}"
+            operator: AnyIn
+            value: rbac.authorization.k8s.io
+          - key: "{{ request.object.rules[].resources[] }}"
+            operator: AnyIn
+            value: 
+            - clusterroles
+            - roles
+          - key: "{{ request.object.rules[].verbs[] }}"
+            operator: AnyIn
+            value: bind
+          - key: "{{ contains(request.object.rules[].resourceNames[], '*') }}"
+            operator: Equals
+            value: true