added cluster role permissions required for openshift container platf…

…orm kube-bench cis benchmark scans SLK-77648
aquasecurity · Jan 23, 2024 · c2293c9 · c2293c9
1 parent c76f90a
commit c2293c9
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ This repository includes the following charts; they can be deployed separately:
 | [Server](server/)                   | Deploys the Console, Database, and Gateway components; optionally deploys Envoy component                                                                     | 2022.4.23            |
 | [Enforcer](enforcer/)               | Deploys the Aqua Enforcer daemonset                                                                                                                           | 2022.4.20            |
 | [Scanner](scanner/)                 | Deploys the Aqua Scanner deployment                                                                                                                           | 2022.4.6             |
-| [KubeEnforcer](kube-enforcer/)      | Deploys Aqua KubeEnforcer                                                                                                                                     | 2022.4.38            |
+| [KubeEnforcer](kube-enforcer/)      | Deploys Aqua KubeEnforcer                                                                                                                                     | 2022.4.39            |
 | [Gateway](gateway)                  | Deploys the Aqua Standalone Gateway                                                                                                                           | 2022.4.12            |
 | [Tenant-Manager](tenant-manager/)   | Deploys the Aqua Tenant Manager                                                                                                                               | 2022.4.0             |
 | [Cyber Center](cyber-center/)       | Deploys Aqua CyberCenter offline for air-gap environment                                                                                                      | 2022.4.3             |
@@ -81,7 +81,7 @@ aqua-helm/codesec-agent         1.2.3           2022.4          A Helm chart for
 aqua-helm/cloud-connector       2022.4.4        2022.4          A Helm chart for Aqua Cloud-Connector
 aqua-helm/cyber-center          2022.4.3        2022.4          A Helm chart for Aqua CyberCenter
 aqua-helm/enforcer              2022.4.20       2022.4          A Helm chart for the Aqua Enforcer
-aqua-helm/kube-enforcer         2022.4.38       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
+aqua-helm/kube-enforcer         2022.4.39       2022.4          A Helm chart for the Aqua KubeEnforcer Starboard
 aqua-helm/gateway               2022.4.12       2022.4          A Helm chart for the Aqua Gateway
 aqua-helm/scanner               2022.4.6        2022.4          A Helm chart for the Aqua Scanner CLI component
 aqua-helm/server                2022.4.23       2022.4          A Helm chart for the Aqua Console components

diff --git a/kube-enforcer/CHANGELOG.md b/kube-enforcer/CHANGELOG.md
@@ -1,6 +1,9 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## 2022.4.39 ( Jan 19th, 2024 )
+* Updated cluster-role.yaml to include additional permissions required for running kube-bench cis benchmarks in openshift container platform
+
 ## 2022.4.38 ( Jan 8th, 2024 )
 * Updated trivy-operator.yaml to include sbom env variable
 * New enforcer version 2022.4.20

diff --git a/kube-enforcer/Chart.yaml b/kube-enforcer/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "2022.4"
 description: A Helm chart for the Aqua KubeEnforcer
 name: kube-enforcer
-version: "2022.4.38"
+version: "2022.4.39"
 dependencies:
   - name: enforcer
     version: "2022.4.20"

diff --git a/kube-enforcer/templates/cluster-role.yaml b/kube-enforcer/templates/cluster-role.yaml
@@ -19,11 +19,29 @@ rules:
     verbs: ["get", "list", "watch"]
   {{- if eq .Values.global.platform "openshift"}}
   - apiGroups: ["operator.openshift.io"]
-    resources: ["imagecontentsourcepolicies"]
+    resources: ["imagecontentsourcepolicies", "openshiftapiservers", "kubeapiservers"]
     verbs: ["get", "list", "watch"]
   - apiGroups: [ "apps.openshift.io" ]
     resources: [ "deploymentconfigs" ]
     verbs: [ "get", "list", "watch" ]
+  - apiGroups: ["*"]
+    resources: ["pods","namespaces"]
+    verbs: ["create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec"]
+    verbs: ["create"]
+  - apiGroups: [ "" ]
+    resources: [ "serviceaccounts", "endpoints" ]
+    verbs: [ "list" ]
+  - apiGroups: [ "config.openshift.io" ]
+    resources: [ "clusteroperators" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: ["security.openshift.io"]
+    resources: ["securitycontextconstraints"]
+    verbs: ["get", "list"]
+  - apiGroups: ["machineconfiguration.openshift.io"]
+    resources: ["machineconfigs", "machineconfigpools"]
+    verbs: ["get", "list"]
   {{- end }}
   - apiGroups:
       - "*"