fix: fix validation method in kubernetes provider (#2000)

RBAC allows a user to define a wildcard `*` for a given field in the
Resource Rule. Prefix/Suffix matching or globbing is not supported,
just simple wildcards.
For example the cluster-admin role has a `*` on all
apiVersion/resource/verbs and hence validation would fail.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

pkg/provider/kubernetes/validate.go

@@ -83,7 +83,9 @@ func (c *Client) Validate() (esv1beta1.ValidationResult, error) {
 		return esv1beta1.ValidationResultUnknown, fmt.Errorf("could not verify if client is valid: %w", err)
 	}
 	for _, rev := range authReview.Status.ResourceRules {
-		if contains("secrets", rev.Resources) && contains("get", rev.Verbs) {
+		if (contains("secrets", rev.Resources) || contains("*", rev.Resources)) &&
+			(contains("get", rev.Verbs) || contains("*", rev.Verbs)) &&
+			(len(rev.APIGroups) == 0 || (contains("", rev.APIGroups) || contains("*", rev.APIGroups))) {
 			return esv1beta1.ValidationResultReady, nil
 		}
 	}

pkg/provider/kubernetes/validate_test.go

@@ -273,6 +273,17 @@ func TestValidate(t *testing.T) {
 			},
 		},
 	}
+	successWildcardReview := authv1.SelfSubjectRulesReview{
+		Status: authv1.SubjectRulesReviewStatus{
+			ResourceRules: []authv1.ResourceRule{
+				{
+					Verbs:     []string{"*"},
+					Resources: []string{"*"},
+					APIGroups: []string{"*"},
+				},
+			},
+		},
+	}
 
 	type fields struct {
 		Client       KClient
@@ -333,6 +344,16 @@ func TestValidate(t *testing.T) {
 			want:    esv1beta1.ValidationResultReady,
 			wantErr: false,
 		},
+		{
+			name: "allowed results in no error",
+			fields: fields{
+				Namespace:    "default",
+				ReviewClient: fakeReviewClient{authReview: &successWildcardReview},
+				store:        &esv1beta1.KubernetesProvider{},
+			},
+			want:    esv1beta1.ValidationResultReady,
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {