pkg/analysis/default-rules.yaml

Name: InsightCloudSec
Description: Rapid7 InsightCloudSec default RBAC analysis rules
Uuid: 9371719c-1031-468c-91ed-576fdc9e9f59
# Exclusion expressions are evaluated with subject objects as an input
# Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
GlobalExclusions:
  - AddedBy: InsightCloudSec@rapid7.com
    Comment: "Exclude kube-system from analysis"
    Disabled: false
    Expression: |
      has(subject.namespace) && (subject.namespace == "kube-system")
    LastModified: "2021-09-22T15:25:01+03:00"
  - AddedBy: InsightCloudSec@rapid7.com
    Comment: "Exclude system roles from analysis"
    Disabled: false
    Expression: |
      has(subject.name) && subject.name.startsWith('system:')
    LastModified: "2021-09-22T15:25:01+03:00"
  - AddedBy: InsightCloudSec@rapid7.com
    Comment: "Exclude gatekeeper-system/gatekeeper-admin from analysis"
    Disabled: false
    Expression: |
      has(subject.namespace) && (subject.namespace == "gatekeeper-system") &&
      has(subject.name) && (subject.name == "gatekeeper-admin")
    LastModified: "2021-09-22T15:25:01+03:00"
    ValidBefore: 0

# Analysis Rules
Rules:
  - Name: Secret Readers
    Description: Capture principals that can read secrets
    References: []
    Severity: HIGH
    Uuid: 3c942117-f4ff-423a-83d4-f7d6b75a6b78
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating resources - use plural form (secrets not secret)
    AnalysisExpr: |
        subjects.filter(
            subject, has(subject.allowedTo) && subject.allowedTo.exists(
              rule,
              (has(rule.verb)     && rule.verb in ['get', '*'])         && (has(rule.resource)
              && rule.resource in ['secrets', '*']) &&                         (has(rule.apiGroup)
              && rule.apiGroup in ['core', '*'])
            )
        )
    Exclusions:
      - AddedBy: InsightCloudSec@rapid7.com
        Comment: "Exclude kube-system from analysis"
        Disabled: true
        Expression: |
          has(subject.namespace) && (subject.namespace == "kube-system")
        LastModified: "2021-09-22T15:25:01+03:00"
        ValidBefore: 0

  - Name: Workload Creators & Editors
    Description: Capture principals that can create or modify workloads of any kind (Deployments, Jobs, ...)
    Severity: HIGH
    Uuid: d5f5ea0c-82e9-4289-ba04-b40cc46be017
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://certitude.consulting/blog/en/kubernetes-rbac-security-pitfalls/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb)
           && rule.verb in ['create', 'update', 'patch', '*']) &&(has(rule.resource)
           && rule.resource in ['deployments', 'replicationcontrollers','daemonsets', 'statefulsets', 'replicasets', 'pods', 'jobs','cronjobs', '*'])
           && (has(rule.apiGroup) && rule.apiGroup in ['core', 'batch','*'])
        )
      )
    Exclusions: []


  - Name: Identify Privileges Escalators - via impersonate
    Description: Capture principals that can escalate privileges through the use of impersonation
    Severity: CRITICAL
    Uuid: a845ec84-8fec-4d64-8d8b-7c2b9ca05d63
    References:
      - https://certitude.consulting/blog/en/kubernetes-rbac-security-pitfalls/
      - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb)
           && rule.verb in ['impersonate', '*'])         &&(has(rule.resource)
           && rule.resource in ['users','groups','serviceaccounts', '*']) &&                       (has(rule.apiGroup)
           && rule.apiGroup in ['core', '*'])
        )
      )
    Exclusions: []

  - Name: Identify Privileges Escalators - via bind or escalate
    Description: |
      Capture principals that can escalate privileges through the use of special API verbs 'bind' or 'escalate',
      or those that can manipulate resources that govern permissions (ClusterRoles and Roles)
    Severity: CRITICAL
    Uuid: 022bc6ea-83e2-4dae-9074-b306b38dc58d
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'" +
      "\nYou can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://certitude.consulting/blog/en/kubernetes-rbac-security-pitfalls/
      - https://kubernetes.io/docs/reference/access-authn-authz/rbac/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
          subject, has(subject.allowedTo) && subject.allowedTo.exists(
              rule,
              (has(rule.verb)     && rule.verb in ['bind', 'create', 'update', 'patch', 'escalate', '*']) &&
              (has(rule.resource) && rule.resource in ['clusterroles', 'roles', '*']) &&
              (has(rule.apiGroup) && rule.apiGroup in ['rbac.authorization.k8s.io','*'])
          )
      )
    Exclusions: []


  - Name: Storage & Data - Manipulate Cluster Shared Resources
    Description: Capture principals that can manipulate shared cluster storage resources such as StorageClass, Volumes, VolumeClaims
    Severity: HIGH
    Uuid: e43fe915-ca58-481d-821b-5481b1d0df02
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kubernetes.io/docs/concepts/storage/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'delete', 'update', 'patch', '*']) &&
          (
            (
              has(rule.resource) && rule.resource in ['persistentvolumeclaims', 'persistentvolumes', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['core','*']
            ) ||
            (
              has(rule.apiGroup) && rule.apiGroup in ['storage.k8s.io','*']
            )
          )
        )
      )
    Exclusions: []

  - Name: Networking - Manipulate Networking and Network Access related resources
    Description: |
      Capture principals that can manipulate shared cluster networking services such as
      Services, Ingresses, NetworkPolicies, Endpoints and EndpointSlices.
    Severity: HIGH
    Uuid: 24392e04-77dd-4721-8aa8-6fc8f6f7005c
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kubernetes.io/docs/concepts/services-networking/
      - https://kubernetes.io/docs/concepts/services-networking/ingress/
      - https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
      - https://kubernetes.io/docs/concepts/services-networking/network-policies/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'delete', 'update', 'patch', '*']) &&
          (
            (
              has(rule.resource) && rule.resource in ['networkpolicies', 'ingresses', 'ingressclasses','*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['networking.k8s.io', 'extensions', '*']
            ) ||
            (
              has(rule.resource) && rule.resource in ['services', 'endpoints', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['core','*']
            ) ||
            (
               has(rule.resource) && rule.resource in ['endpointslices', '*'] &&
               has(rule.apiGroup) && rule.apiGroup in ['discovery.k8s.io','*']
            )
          )
        )
      )
    Exclusions: []

  - Name: Networking - Manipulate Gateway API Resources
    Description: |
      Capture principals that can manipulate shared cluster networking services such as
      Gateway Classes, Gateways, HTTPRoutes, TLSRoutes, etc,.
    Severity: HIGH
    Uuid: 337c205f-7479-4a31-9057-03c6c8d2f80e
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://gateway-api.sigs.k8s.io/


    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'delete', 'update', 'patch', '*']) &&
          (has(rule.resource) && rule.resource in ['gatewayclasses', 'gateways', 'httproutes', 'tcproutes', 'tlsroutes', 'udproutes', '*']) &&
          (has(rule.apiGroup) && rule.apiGroup in ['gateway.networking.k8s.io', '*'])        )
      )
    Exclusions: []

  - Name: Installing or Modifying Admission Controllers
    Description: Capture principals that can install/update Kubernetes admission controllers of any kind
    Severity: CRITICAL
    Uuid: e08e762e-50d6-4091-a37a-c4dd01d274a9
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
      - https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
      - https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'update', 'patch', '*']) &&
          (
              has(rule.resource) && rule.resource in ['mutatingwebhookconfigurations', 'validatingwebhookconfigurations', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['admissionregistration.k8s.io','*']
          )
        )
      )
    Exclusions: []

  - Name: Installing or Modifying Cluster Extensions (CRDs)
    Description: Capture principals that can install/delete/update Kubernetes Custom Resources
    Severity: MEDIUM
    Uuid: 773d2782-8d26-4aea-b6dc-719b9072729a
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'update', 'patch', 'delete', '*']) &&
          (
              has(rule.resource) && rule.resource in ['customresourcedefinitions', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['apiextensions.k8s.io','*']
          )
        )
      )
    Exclusions: []

  - Name: Open Policy Agent (OPA) GateKeeper Administration
    Description: Capture principals that have administrative privileges and can manage OPA GateKeeper shared resources resources
    Severity: HIGH
    Uuid: 9d3d62c2-81a5-439a-bc51-9b74f8124822
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://open-policy-agent.github.io/gatekeeper/website/docs/constrainttemplates
      - https://open-policy-agent.github.io/gatekeeper/website/docs/mutation

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'update', 'patch', 'delete', '*']) &&
          (
              has(rule.resource) && rule.resource in ['constrainttemplates', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['templates.gatekeeper.sh','*']
          ) ||
          (
              has(rule.resource) && rule.resource in ['assign', 'assignmetadata', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['mutations.gatekeeper.sh','*']
          ) ||
          (
              has(rule.resource) && rule.resource in ['configs', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['config.gatekeeper.sh','*']
          )
        )
      )
    Exclusions: [] # gatekeeper-system/gatekeeper-admin excluded in global exceptions

  - Name: Create Node Proxy
    Description: Capture principals with permissions to create node proxies, which provides direct access to Kubelet APIs and can be used for privileges escalation.
    Severity: CRITICAL
    Uuid: EB43D06A-8534-43EB-8360-117D0AB06808
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://blog.aquasec.com/privilege-escalation-kubernetes-rbac

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', '*']) &&
          (has(rule.resource) && rule.resource in ['nodes/proxy', '*']) &&
          (has(rule.apiGroup) && rule.apiGroup in ['', '*'])        )
      )
    Exclusions: [] #

  - Name: Create Ephemeral Containers in Running Pods
    Description: |
      Capture principals with permissions to create ephemeral containers in running Pods.
      Permissions to create ephemeral container provides the ability to execute code in other pods as well as executing code with excessive process permissions (by setting securityContext field) which can potentially lead to container escape to the hosting node.
    Severity: HIGH
    Uuid: D43B8BDC-B0D3-4FFA-B320-95F516B514B3
    Recommendation: |      
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['patch', 'update', '*']) &&
          (has(rule.resource) && rule.resource in ['pods/ephemeralcontainers', '*']) &&
          (has(rule.apiGroup) && rule.apiGroup in ['', '*'])        )
      )
    Exclusions: []

  - Name: Exec into Pod
    Description: |
      Capture principals with permissions to exec into running Pods.
      Principals with such permissions can execute code in privileged pods, or execute code in pod running in privileged namespace, are likely to yield additional privileges escalation.
    Severity: HIGH
    Uuid: 9755128A-C1B4-410B-B163-09165E9F14EF
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', '*']) &&
          (has(rule.resource) && rule.resource in ['pods/exec', '*']) &&
          (has(rule.apiGroup) && rule.apiGroup in ['', '*'])        )
      )
    Exclusions: []

  - Name: Kyverno Administration
    Description: Capture principals that have administrative privileges and can manage Kyverno shared resources resources
    Severity: HIGH
    Uuid: 7f9a4ef2-535b-4e44-897c-90a94ae9c985
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kyverno.io/docs/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'update', 'patch', 'delete', '*']) &&
          (
              has(rule.resource) && rule.resource in ['clusterpolicies', 'policies', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['kyverno.io','*']
          ) 
        )
      )
    Exclusions: []

  - Name: Installing or Modifying Kubernetes Admission Policies
    Description: Capture principals that can install/update Kubernetes Admission Policies of any kind
    Severity: HIGH
    Uuid: e3fbfb0f-2f3b-4c30-ada4-50bbe73f421e
    Recommendation: |
      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
    References:
      - https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/

    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
    AnalysisExpr: |
      subjects.filter(
        subject, has(subject.allowedTo) && subject.allowedTo.exists(
          rule,
          (has(rule.verb) && rule.verb in ['create', 'update', 'patch', '*']) &&
          (
              has(rule.resource) && rule.resource in ['validatingadmissionpolicies', 'validatingadmissionpolicybindings', '*'] &&
              has(rule.apiGroup) && rule.apiGroup in ['admissionregistration.k8s.io','*']
          )
        )
      )
    Exclusions: []