stackrox · viswajithiii · May 10, 2022 · May 6, 2022 · May 6, 2022 · May 10, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -41,7 +41,8 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp
   - For questions about this change, please contact the Red Hat support team at [email protected].
 - ROX-10018: The policy `OpenShift: Kubeadmin Secret Accessed` will no longer trigger if the request was from the default OpenShift `oauth-apiserver-sa` service account, because this is an expected access pattern for the OpenShift apiserver.
 - Violation tags and process tags are deprecated, and will be removed in version 3.72.0.
-
+- Users who do not want to include the RBAC factor in risk calculation can set
+  the "ROX_INCLUDE_RBAC_IN_RISK" environment variable to "false" in the Central deployment spec.
 
 ## [69.1]
 

diff --git a/central/risk/scorer/deployment/scorer.go b/central/risk/scorer/deployment/scorer.go
@@ -12,6 +12,7 @@ import (
 	"github.com/stackrox/rox/central/risk/multipliers/image"
 	saStore "github.com/stackrox/rox/central/serviceaccount/datastore"
 	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/rox/pkg/env"
 	"github.com/stackrox/rox/pkg/logging"
 )
 
@@ -40,9 +41,13 @@ func NewDeploymentScorer(alertGetter getters.AlertGetter, roles roleStore.DataSt
 			deployment.NewImageMultiplier(image.RiskyComponentCountHeading),
 			deployment.NewImageMultiplier(image.ComponentCountHeading),
 			deployment.NewImageMultiplier(image.ImageAgeHeading),
-			deployment.NewSAPermissionsMultiplier(roles, bindings, serviceAccounts),
 		},
 	}
+	if env.IncludeRBACInRisk.BooleanSetting() {
+		scoreImpl.ConfiguredMultipliers = append(scoreImpl.ConfiguredMultipliers,
+			deployment.NewSAPermissionsMultiplier(roles, bindings, serviceAccounts),
+		)
+	}
 
 	return scoreImpl
 }

diff --git a/pkg/env/rbac_risk.go b/pkg/env/rbac_risk.go
@@ -0,0 +1,6 @@
+package env
+
+var (
+	// IncludeRBACInRisk toggles whether RBAC is included in the risk calculation.
+	IncludeRBACInRisk = RegisterBooleanSetting("ROX_INCLUDE_RBAC_IN_RISK", true)
+)
diff --git a/pkg/env/setting.go b/pkg/env/setting.go
@@ -66,6 +66,10 @@ func RegisterSetting(envVar string, opts ...SettingOption) Setting {
 	return s
 }
 
+func unregisterSetting(envVar string) {
+	delete(Settings, envVar)
+}
+
 func (s *setting) EnvVar() string {
 	return s.envVar
 }

diff --git a/pkg/env/setting_test.go b/pkg/env/setting_test.go
@@ -3,6 +3,7 @@ package env
 import (
 	"fmt"
 	"os"
+	"strings"
 	"testing"
 	"time"
 
@@ -18,6 +19,7 @@ func TestWithoutDefault(t *testing.T) {
 
 	name := newRandomName()
 	s := RegisterSetting(name)
+	defer unregisterSetting(name)
 
 	a.Equal(name, s.EnvVar())
 	a.Empty(s.Setting())
@@ -31,6 +33,7 @@ func TestWithDefault(t *testing.T) {
 
 	name := newRandomName()
 	s := RegisterSetting(name, WithDefault("baz"))
+	defer unregisterSetting(name)
 
 	a.Equal("baz", s.Setting())
 
@@ -46,6 +49,7 @@ func TestWithDefaultAndAllowEmpty(t *testing.T) {
 
 	name := newRandomName()
 	s := RegisterSetting(name, WithDefault("baz"), AllowEmpty())
+	defer unregisterSetting(name)
 
 	a.Equal("baz", s.Setting())
 
@@ -61,6 +65,7 @@ func TestDurationSetting(t *testing.T) {
 
 	name := newRandomName()
 	s := registerDurationSetting(name, time.Minute)
+	defer unregisterSetting(name)
 
 	a.Equal(time.Minute, s.DurationSetting())
 	a.Equal("1m0s", s.Setting())
@@ -69,3 +74,13 @@ func TestDurationSetting(t *testing.T) {
 	a.Equal(time.Hour, s.DurationSetting())
 	a.Equal("1h0m0s", s.Setting())
 }
+
+func TestSettingEnvVarsStartWithRox(t *testing.T) {
+	for k := range Settings {
+		// This one slipped by, too late to change it, so ignore in the test.
+		if k == NotifyEveryRuntimeEvent.EnvVar() {
+			continue
+		}
+		assert.True(t, strings.HasPrefix(k, "ROX_"), "Env var %s doesn't start with ROX_", k)
+	}
+}