capsule
capsule copied to clipboard
Introduce static analysis of operator RBAC
Describe the feature
The CI pipeline could integrate static security analysis on the (Cluster
)Roles
that the operator would run with.
What would the new user story look like?
As a maintainer, I would like that contribution would pass a static analysis of RBAC being introduced before being integrated.
This is one of the examples of shifting left the security, statically analyzing (SAST) before the integration of software.
Expected behavior
First step: RBAC
One first approach could be adding a job in the CI Github workflow, that would audit through tools.
Tools: BadRobot.
Badrobot is a Kubernetes Operator audit tool. It statically analyses manifests for high risk configurations such as lack of security restrictions on the deployed controller and the permissions of an associated clusterole. The risk analysis is primarily focussed on the likelihood that a compromised Operator would be able to obtain full cluster permissions.
This will be nice for our quality gate checks! Anyway, we should check if this overlap with kubescape