Fix: rolebindingRolePodExecAttach check (#1070)

* Fix: rolebindingRolePodExecAttach check

Fix the case of a RoleBinding that points to a ClusterRole.
In that case, we ignore the RoleBinding since it will be evaluated by the rolebindingClusterRolePodExecAttach check.

* add tests for role-binding that uses a cluster-role binding

---------

Co-authored-by: Vitor Vezani <[email protected]>

Author: greg5813

pkg/config/checks/rolebindingRolePodExecAttach.yaml

@@ -17,7 +17,7 @@ schemaString: |
               const: "rbac.authorization.k8s.io"
             kind:
               type: string
-              const: "Role"
+              const: "ClusterRole"
     # Do not alert on default RoleBindings.
     - required: ["metadata"]
       properties:

test/checks/rolebindingRolePodExecAttach/success.role_binding_cluster_role_binding.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: all-operations
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: all-operations
+  namespace: my-namespace
+subjects:
+  - kind: User
+    name: example-user
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: all-operations
+  apiGroup: rbac.authorization.k8s.io