From 11b1e0fc728a8983af075b8104d097b79e3117bb Mon Sep 17 00:00:00 2001
From: James Salt <james.salt@container-solutions.com>
Date: Thu, 11 Jun 2026 13:49:30 +0100
Subject: [PATCH] Fix clusterBootstrapCreatorAdminPermissions to return false
 when field is absent

AWS omits BootstrapClusterCreatorAdminPermissions from the accessConfig response
when the cluster uses API auth mode and the field is false. Returning nil caused
the OPA policy to receive null, which is truthy, triggering a false violation.
---
 internal/cluster.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/internal/cluster.go b/internal/cluster.go
index f191eec..49caefd 100644
--- a/internal/cluster.go
+++ b/internal/cluster.go
@@ -119,11 +119,14 @@ func clusterAuthenticationMode(cluster types.Cluster) string {
 	return string(cluster.AccessConfig.AuthenticationMode)
 }
 
-func clusterBootstrapCreatorAdminPermissions(cluster types.Cluster) *bool {
+func clusterBootstrapCreatorAdminPermissions(cluster types.Cluster) bool {
 	if cluster.AccessConfig == nil {
-		return nil
+		return false
+	}
+	if cluster.AccessConfig.BootstrapClusterCreatorAdminPermissions == nil {
+		return false
 	}
-	return cluster.AccessConfig.BootstrapClusterCreatorAdminPermissions
+	return *cluster.AccessConfig.BootstrapClusterCreatorAdminPermissions
 }
 
 func clusterSecretsEncryptionConfigured(cluster types.Cluster) bool {