Fix disallow anonymous users policy (#133)

* Added empty-dir policy for RHACM

* Added fix to anonymous policy

open-policy-agent/README.md

@@ -21,7 +21,7 @@ Policy  | Description | Prerequisites
 [delete-kubeadmin](./authentication-user-management/delete-kubeadmin) | Validates the removal of the kubeadmin temporary user |
 [shorten-tokens](./authentication-user-management/shorten-tokens) | Validate that tokens are shorter than the defined lifespan period |
 [oauth-secured-identity-providers-only](./authentication-user-management/oauth-secured-identity-providers-only) | Ensures that only secured identityProviders are allowed in the cluster |
-[disallow-anonymous-users](./authentication/disallow-anonymous-users) | Ensures there are no anonymous users associated with any ClusterRole |
+[disallow-anonymous-users](./authentication/disallow-anonymous-users) | Ensures there are no anonymous users associated with any ClusterRole / Role |
 
 ### Authorization
 Policy  | Description | Prerequisites

open-policy-agent/authentication-user-management/disallow-anonymous-users/README.md

@@ -1,8 +1,8 @@
 # Disallow Anonymous Authentication
 
-The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole in the cluster.
+The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole / Role in the cluster.
 
-Associating unauthenticated users with ClusterRoles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure.
+Associating unauthenticated users with ClusterRoles / Roles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure.
 
 `This policy has been tested on openshift cluster & oc client version 4.8.4`
 

open-policy-agent/authentication-user-management/disallow-anonymous-users/constraint.yaml

@@ -7,4 +7,6 @@ spec:
   match:
     kinds:
       - apiGroups: ["rbac.authorization.k8s.io"]
-        kinds: ["ClusterRoleBinding"]
+        kinds: ["ClusterRoleBinding"]
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        kinds: ["RoleBinding"]

open-policy-agent/authentication-user-management/disallow-anonymous-users/template.yaml

@@ -14,15 +14,12 @@ spec:
       rego: |
         package k8sdisallowanonymous
         violation[{"msg": msg}] {
-          input.review.object.kind == "ClusterRoleBinding"
           review(input.review.object.subjects[_])
-          msg := sprintf("Unauthenticated user is not allowed in ClusterRoleBinding %v ", [input.review.object.metadata.name])
+          msg := sprintf("Unauthenticated user reference is not allowed in %v %v ", [input.review.object.kind, input.review.object.metadata.name])
         }
-
         review(subject) = true {
           subject.name == "system:unauthenticated"
         }
-
         review(subject) = true {
           subject.name == "system:anonymous"
-        }
+        }   

redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/README.md

@@ -1,7 +1,7 @@
 # Disallow Anonymous Authentication
 
-The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole in the cluster.
+The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole / Role in the cluster.
 
-Associating unauthenticated users with ClusterRoles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure.
+Associating unauthenticated users with ClusterRoles / Roles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure.
 
 The policy uses the next [Gatekeeper policy](../../../open-policy-agent/authentication-user-management/disallow-anonymous-users/) in order to function.

redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/gatekeeper-disallow-anonymous-auth.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
 metadata:
@@ -38,9 +37,8 @@ spec:
                       rego: |
                         package k8sdisallowanonymous
                         violation[{"msg": msg}] {
-                          input.review.object.kind == "ClusterRoleBinding"
                           review(input.review.object.subjects[_])
-                          msg := sprintf("Unauthenticated user is not allowed in ClusterRoleBinding %v ", [input.review.object.metadata.name])
+                          msg := sprintf("Unauthenticated user reference is not allowed in %v %v ", [input.review.object.kind, input.review.object.metadata.name])
                         }
 
                         review(subject) = true {
@@ -62,6 +60,8 @@ spec:
                     kinds:
                       - apiGroups: ["rbac.authorization.k8s.io"]
                         kinds: ["ClusterRoleBinding"]
+                      - apiGroups: ["rbac.authorization.k8s.io"]
+                        kinds: ["RoleBinding"]
     - objectDefinition:
         apiVersion: policy.open-cluster-management.io/v1
         kind: ConfigurationPolicy
@@ -123,4 +123,4 @@ spec:
       type: ManagedClusterConditionAvailable
   clusterSelector:
     matchExpressions:
-      - { key: environment, operator: In, values: ["dev"] }
+      - { key: environment, operator: In, values: ["dev"] }