capsule icon indicating copy to clipboard operation
capsule copied to clipboard

Published 20 hours ago verified publisher icon projectcapsule

Introduce static analysis of operator RBAC

Open maxgio92 opened this issue 1 year ago • 1 comments

Describe the feature

The CI pipeline could integrate static security analysis on the (Cluster)Roles that the operator would run with.

What would the new user story look like?

As a maintainer, I would like that contribution would pass a static analysis of RBAC being introduced before being integrated.

This is one of the examples of shifting left the security, statically analyzing (SAST) before the integration of software.

Expected behavior

First step: RBAC

One first approach could be adding a job in the CI Github workflow, that would audit through tools.

Tools: BadRobot.

Badrobot is a Kubernetes Operator audit tool. It statically analyses manifests for high risk configurations such as lack of security restrictions on the deployed controller and the permissions of an associated clusterole. The risk analysis is primarily focussed on the likelihood that a compromised Operator would be able to obtain full cluster permissions.

maxgio92 avatar Sep 02 '22 15:09 maxgio92

This will be nice for our quality gate checks! Anyway, we should check if this overlap with kubescape

ptx96 avatar Sep 03 '22 14:09 ptx96