The task says:
Your task is to modify the RBAC configuration as follows:
Prevent the ci-bot service account from binding to any role that has “admin” or “cluster-admin” in its name.
While the solution checks if the role simply has read-only permissions to clusterrolebindings and rolebindings
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ci-bot-role
rules:
[...]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings", "rolebindings"]
verbs: ["get", "list", "watch"]
Which doesn’t contradict but why is there this not contains("admin", "cluster-admin") when it’s ignored during check? Makes this task only more confusing, I was searching for some empty verb array, or just “list” for
- apiGroups:
- rbac.authorization.k8s.io
resourceNames: ["admin*", "admin", "*admin*", "cluster-admin", "cluster-admin*", "*cluster-admin*"]
resources:
- role
- clusterrole
verbs: ["list"]
- apiGroups:
- rbac.authorization.k8s.io
resources:
- role
- clusterrole
verbs: ["bind"]
...
What is more it retains clusterrolebinding which I would swap for rolebinding in ci-cd namespace.