#2621 Rename ClusterRole and ClusterRoleBinding

BorisShek · BorisShek · commit 632942e82174 · 2025-04-24T17:03:02.000+02:00
Rename the ClusterRole 'manager-role' and ClusterRoleBinding 'manager-rolebinding' to 'securecodebox-manager-role' and 'securecodebox-manager-rolebinding', respectively, because the original names are too generic and could collide with other projects in the same cluster.

Signed-off-by: Boris Shek &lt;boris.shek@iteratec.com&gt;
diff --git a/operator/Makefile b/operator/Makefile
@@ -61,7 +61,7 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName="manager-role",headerFile="hack/boilerplate.yaml.txt" crd:maxDescLen=256,headerFile="hack/boilerplate.yaml.txt" webhook paths="./..." output:crd:artifacts:config=crds output:rbac:artifacts:config=templates/rbac
+	$(CONTROLLER_GEN) rbac:roleName="securecodebox-manager-role",headerFile="hack/boilerplate.yaml.txt" crd:maxDescLen=256,headerFile="hack/boilerplate.yaml.txt" webhook paths="./..." output:crd:artifacts:config=crds output:rbac:artifacts:config=templates/rbac
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
diff --git a/operator/templates/rbac/role.yaml b/operator/templates/rbac/role.yaml
@@ -5,7 +5,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: manager-role
+  name: securecodebox-manager-role
 rules:
 - apiGroups:
   - ""
diff --git a/operator/templates/rbac/role_binding.yaml b/operator/templates/rbac/role_binding.yaml
@@ -5,11 +5,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: manager-rolebinding
+  name: securecodebox-manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: manager-role
+  name: securecodebox-manager-role
 subjects:
   - kind: ServiceAccount
     name: {{.Values.serviceAccount.name}}
diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap
@@ -271,7 +271,7 @@ matches the snapshot:
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
-      name: manager-role
+      name: securecodebox-manager-role
     rules:
       - apiGroups:
           - ""
@@ -370,11 +370,11 @@ matches the snapshot:
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
-      name: manager-rolebinding
+      name: securecodebox-manager-rolebinding
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
-      name: manager-role
+      name: securecodebox-manager-role
     subjects:
       - kind: ServiceAccount
         name: securecodebox-operator
@@ -848,7 +848,7 @@ properly-renders-the-service-monitor-when-enabled:
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRole
     metadata:
-      name: manager-role
+      name: securecodebox-manager-role
     rules:
       - apiGroups:
           - ""
@@ -947,11 +947,11 @@ properly-renders-the-service-monitor-when-enabled:
     apiVersion: rbac.authorization.k8s.io/v1
     kind: ClusterRoleBinding
     metadata:
-      name: manager-rolebinding
+      name: securecodebox-manager-rolebinding
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
-      name: manager-role
+      name: securecodebox-manager-role
     subjects:
       - kind: ServiceAccount
         name: securecodebox-operator
diff --git a/scanners/trivy/parser/__snapshots__/parser.test.js.snap b/scanners/trivy/parser/__snapshots__/parser.test.js.snap
@@ -100044,7 +100044,7 @@ and the severity is therefore considered low.",
   {
     "attributes": {
       "fixedVersion": undefined,
-      "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'",
+      "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'",
       "id": "KSV048",
       "installedVersion": undefined,
       "packageName": undefined,
@@ -100055,7 +100055,7 @@ and the severity is therefore considered low.",
     },
     "category": "Misconfiguration",
     "description": "Check whether role permits update/create of a malicious pod",
-    "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role",
+    "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role",
     "mitigation": "Create a role which does not permit update/create of a malicious pod",
     "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)",
     "references": [
@@ -100073,7 +100073,7 @@ and the severity is therefore considered low.",
   {
     "attributes": {
       "fixedVersion": undefined,
-      "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'",
+      "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'",
       "id": "KSV050",
       "installedVersion": undefined,
       "packageName": undefined,
@@ -100084,9 +100084,9 @@ and the severity is therefore considered low.",
     },
     "category": "Misconfiguration",
     "description": "An effective level of access equivalent to cluster-admin should not be provided.",
-    "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role",
+    "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role",
     "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
-    "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
+    "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
     "references": [
       {
         "type": "URL",
@@ -100102,7 +100102,7 @@ and the severity is therefore considered low.",
   {
     "attributes": {
       "fixedVersion": undefined,
-      "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'",
+      "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'",
       "id": "KSV050",
       "installedVersion": undefined,
       "packageName": undefined,
@@ -100113,9 +100113,9 @@ and the severity is therefore considered low.",
     },
     "category": "Misconfiguration",
     "description": "An effective level of access equivalent to cluster-admin should not be provided.",
-    "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role",
+    "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role",
     "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
-    "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
+    "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
     "references": [
       {
         "type": "URL",
@@ -152880,7 +152880,7 @@ and the severity is therefore considered low.",
   {
     "attributes": {
       "fixedVersion": undefined,
-      "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'",
+      "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'",
       "id": "KSV048",
       "installedVersion": undefined,
       "packageName": undefined,
@@ -152891,7 +152891,7 @@ and the severity is therefore considered low.",
     },
     "category": "Misconfiguration",
     "description": "Check whether role permits update/create of a malicious pod",
-    "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role",
+    "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role",
     "mitigation": "Create a role which does not permit update/create of a malicious pod",
     "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)",
     "references": [
@@ -152909,7 +152909,7 @@ and the severity is therefore considered low.",
   {
     "attributes": {
       "fixedVersion": undefined,
-      "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'",
+      "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'",
       "id": "KSV050",
       "installedVersion": undefined,
       "packageName": undefined,
@@ -152920,9 +152920,9 @@ and the severity is therefore considered low.",
     },
     "category": "Misconfiguration",
     "description": "An effective level of access equivalent to cluster-admin should not be provided.",
-    "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role",
+    "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role",
     "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
-    "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
+    "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
     "references": [
       {
         "type": "URL",
@@ -152938,7 +152938,7 @@ and the severity is therefore considered low.",
   {
     "attributes": {
       "fixedVersion": undefined,
-      "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'",
+      "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'",
       "id": "KSV050",
       "installedVersion": undefined,
       "packageName": undefined,
@@ -152949,9 +152949,9 @@ and the severity is therefore considered low.",
     },
     "category": "Misconfiguration",
     "description": "An effective level of access equivalent to cluster-admin should not be provided.",
-    "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role",
+    "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role",
     "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
-    "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
+    "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])",
     "references": [
       {
         "type": "URL",
diff --git a/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json b/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json
@@ -46802,10 +46802,10 @@
     },
     {
       "Kind": "ClusterRole",
-      "Name": "manager-role",
+      "Name": "securecodebox-manager-role",
       "Results": [
         {
-          "Target": "ClusterRole/manager-role",
+          "Target": "ClusterRole/securecodebox-manager-role",
           "Class": "config",
           "Type": "kubernetes",
           "Packages": [],
@@ -46940,7 +46940,7 @@
               "AVDID": "AVD-KSV-0050",
               "Title": "Do not allow management of RBAC resources",
               "Description": "An effective level of access equivalent to cluster-admin should not be provided.",
-              "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
+              "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
               "Namespace": "builtin.kubernetes.KSV050",
               "Query": "data.builtin.kubernetes.KSV050.deny",
               "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
@@ -47050,7 +47050,7 @@
               "AVDID": "AVD-KSV-0050",
               "Title": "Do not allow management of RBAC resources",
               "Description": "An effective level of access equivalent to cluster-admin should not be provided.",
-              "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
+              "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
               "Namespace": "builtin.kubernetes.KSV050",
               "Query": "data.builtin.kubernetes.KSV050.deny",
               "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
@@ -65501,10 +65501,10 @@
     },
     {
       "Kind": "ClusterRoleBinding",
-      "Name": "manager-rolebinding",
+      "Name": "securecodebox-manager-rolebinding",
       "Results": [
         {
-          "Target": "ClusterRoleBinding/manager-rolebinding",
+          "Target": "ClusterRoleBinding/securecodebox-manager-rolebinding",
           "Class": "config",
           "Type": "kubernetes",
           "Packages": [],
diff --git a/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json b/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json
@@ -46909,10 +46909,10 @@
     },
     {
       "Kind": "ClusterRole",
-      "Name": "manager-role",
+      "Name": "securecodebox-manager-role",
       "Results": [
         {
-          "Target": "ClusterRole/manager-role",
+          "Target": "ClusterRole/securecodebox-manager-role",
           "Class": "config",
           "Type": "kubernetes",
           "Packages": [],
@@ -47047,7 +47047,7 @@
               "AVDID": "AVD-KSV-0050",
               "Title": "Do not allow management of RBAC resources",
               "Description": "An effective level of access equivalent to cluster-admin should not be provided.",
-              "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
+              "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
               "Namespace": "builtin.kubernetes.KSV050",
               "Query": "data.builtin.kubernetes.KSV050.deny",
               "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
@@ -47157,7 +47157,7 @@
               "AVDID": "AVD-KSV-0050",
               "Title": "Do not allow management of RBAC resources",
               "Description": "An effective level of access equivalent to cluster-admin should not be provided.",
-              "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
+              "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]",
               "Namespace": "builtin.kubernetes.KSV050",
               "Query": "data.builtin.kubernetes.KSV050.deny",
               "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'",
@@ -53300,10 +53300,10 @@
     },
     {
       "Kind": "ClusterRoleBinding",
-      "Name": "manager-rolebinding",
+      "Name": "securecodebox-manager-rolebinding",
       "Results": [
         {
-          "Target": "ClusterRoleBinding/manager-rolebinding",
+          "Target": "ClusterRoleBinding/securecodebox-manager-rolebinding",
           "Class": "config",
           "Type": "kubernetes",
           "Packages": [],
