role-binding-role-ref.yaml

apiVersion: kubevious.io/v1alpha1
kind: ClusterRule
metadata:
  name: role-binding-role-ref
spec:
  summary: |
    Validate RoleBinding and ClusterRoleBinding to Role and ClusterRole reference.
  categories:
    - k8s
    - rbac
    - binding
    - role
    - reference
  target: |
    Union(
      Api('rbac.authorization.k8s.io')
        .Kind("ClusterRoleBinding")
        .isClusterScope(true),
      Api('rbac.authorization.k8s.io')
        .Kind("RoleBinding"),
    )
  rule: |
    if (!config.roleRef) {
      error(`RoleRef not set`);
      return;
    }

    const roleKind = config.roleRef.kind;
    const role = Api(config.roleRef.apiGroup)
                    .Kind(roleKind)
                    .name(config.roleRef.name)
                    .isClusterScope(roleKind.startsWith('Cluster'))
                    .namespace(config.roleRef.namespace ?? item.namespace)
                    .single();

    if (!role)
    {
      error(`Could not find ${config.roleRef.kind} ${config.roleRef.name}`);
    }