Wildcard use in role and cluster role policy does not support list of exclude clusterrole.

[sumanraja]

ISSUE TITLE: Kubernetes clusters should minimize wildcard use in role and cluster role policy does not support list of exclude clusterrole.


'PolicyName: Kubernetes clusters should minimize wildcard use in role and cluster role.

ISSUE DESCRIPTION (this template): Kubernetes clusters should minimize wildcard use in role and cluster role policy always show non compliance if you deploy cluster with calico plugin. Calico network plugin is aks managed add-on however tigera-operator cluster role does not under default exclusion list.

Details of the scenario you tried and the problem that is occurring

If you deploy AKS cluster with calico plugin, this wild card clusterrole policy alway show non-compliance state.

Verbose logs showing the problem

Suggested solution to the issue

Either policy need enhancement and support exclude clusterrole parameter, currently support only exclude namespace.
Otherwise include https://store.policy.core.windows.net/kubernetes/block-wildcard-roles/v1/template.yaml
With tigera-operator as AKS_MANAGED_CLUSTER_ROLE_NAMES.

If policy is Guest Configuration - details about target node