Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install

Overview

Operator Permission Advisor

Go Report

Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install. The permissions are aggregated from the following sources:

  1. The CSV
  2. The manifests directory of each bundle in the desired install channel

This tool uses the standardized operator-registry actions library github.com/operator-framework/operator-registry/alpha/action to query the catalog.

Usage

./operator-permission-advisor static --help
Statically check the catalog for permission information

Usage:
  operator-permission-advisor static [flags]

Flags:
  -c, --catalog string       catalog source image repo
  -s, --channel string       channel to check for permissions in
  -R, --clusterRole string   location to save the aggregated clusterRole to (default "STDOUT")
  -h, --help                 help for static
  -o, --operator string      operator package to check for permissions in
  -r, --role string          location to save the aggregated role to (default "STDOUT")
Issues
  • Implements issue #6 heads of channels

    Implements issue #6 heads of channels

    This implements issue https://github.com/IBM/operator-permission-advisor/issues/6 to only look at heads of channels when determining the role and cluster role file.

    Added:

    • Unit test bed for permissions and util package
    • Goreport badge for the README
    • Release makefile target for generating releases
    • --aggregate | -a flag for toggling the head of channel functionality from the front end

    Signed-off-by: nathanbrophy [email protected]

    opened by nathanbrophy 0
  • [Enhancement] Update tool to use heads of channels

    [Enhancement] Update tool to use heads of channels

    Background

    Currently the tooling will aggregate the permissions across all bundles in the channel specified. This means that old bundles could have unused permissions that are included in the output. We need a way to filter those out and only look at the latest permissions.

    Design

    Update the front end to do head of channel by default and add a flag to enable aggregation

    $ operator-permision-advisor static -c catalog --channel  channel -o package --aggregate 
    

    Something like the above should do the trick.

    In the back end we will need to honor this flag and use the built in tooling for the actions API to grab only the heads of channels. This may require us changing from the bundle API to the Package API

    lp := &ListPackage{ "Catalog image" }
    lpr,_ := lp.Run(context)
    ch := getChannelObjFromPackage(lpr) // this needs to be written
    head := ch.Head() // This should be a bundle
    

    It would be nice to wrapper the call to getting the bundle in a separate function that returns a common interface that can flow into the permission aggregation section after.

    Acceptance Criteria

    • [x] e2e test suite created (this needs to happen at some point)
    • [x] Ability to filter the output to just the head of the channel
    • [x] Ability to maintain aggregation feature across the entire channel (not sure if there is a big need for this, but will keep it and deprecate in the futuree)
    enhancement good first issue 
    opened by nathanbrophy 0
  • Enhancement Proposal [Version Command]

    Enhancement Proposal [Version Command]

    Background

    This tooling needs a version flag or command that is dynamically generated from the git release information.

    Design

    Using the ldflags golang build parameter it would be nice to have a version command that relays some useful information on the version information.

    e.x.

    type Version struct {
      Semver string
      Build string
      Timestamp string
    } 
    
    $ ./operator-permission-advisor version
    
    {"version": "1.2.3+<git commit hash ID>", "major": "1", "minor": "2", "patch": "3",  "build": "<git commit has ID>", "timestamp": "01022022.000000"}
    

    CLI Considerations

    Add a new version command for the tooling.

    API / Backend Considerations

    We will need to import the git API to dynamically generate some of this information at build time.

    Acceptance Criteria

    • [ ] e2e test suite passes with updates
    • [ ] new version command provides version information from the git repo

    Additional Information

    enhancement approved 
    opened by nathanbrophy 0
  • [Epic] Dynamic Permission Scanning

    [Epic] Dynamic Permission Scanning

    Background

    It can be hard to understand what permissions are needed in an install of an Operator or an Operand. It would be nice if a tool existed that allowed you to dynamically scan a cluster and then write a report of the permissions used during that scan for a given actor.

    Design

    $ opa dynamic -a admin -a 'system:serviceaccount:test-namespace:my-operator' -d 5m # default is -1 ^C tp exit
    

    This could be implemented as a webhook plugin to the admission control plane. The idea would be to intercept any API call to the Kube API server that originates from one of the specified actors, record the API request and infer the permissions from it.

    e.x.:

    GET pods # Needs get, list
    GET pod/my-pod # Needs get
    POST pod/my-pod data..... # Needs create 
    etc ......
    

    Acceptance Criteria

    • [ ] e2e test suite updated/created for the dynamic scan functionality
    • [ ] command that allows dynamic scanning of a cluster
    • [ ] audit report generated for permissions requested during the scan
    • [ ] aggregator to generate a role and/or clusterRole from the audit report
    enhancement help wanted discussion 
    opened by nathanbrophy 0
Releases(v0.0.3)
  • v0.0.3(Apr 22, 2022)

    This implements issue https://github.com/IBM/operator-permission-advisor/issues/6 to only look at heads of channels when determining the role and cluster role file.

    Added:

    • Unit test bed for permissions and util package
    • Goreport badge for the README
    • Release makefile target for generating releases
    • --aggregate | -a flag for toggling the head of channel functionality from the front end

    Signed-off-by: nathanbrophy [email protected]


    SHA256

    e79ad20e3e6e1daa2f0b14b8877898a0c027515ed417ea355da02defc60e1249  operator-permission-advisor.tar.gz
    9cf72ab9471be73b08b241415f6cd063c108e921819957c3d7511fd4915df9af  ./bin/operator-permission-advisor
    
    Source code(tar.gz)
    Source code(zip)
    checksum.sha56(101 bytes)
    operator-permission-advisor(47.93 MB)
    operator-permission-advisor.tar.gz(22.27 MB)
  • v0.0.2(Apr 12, 2022)

    a942e087c22e5194f92010b8403fd29a65e19de4e1d5b9e745341d5fd1ef019e  ./bin/operator-permission-advisor
    

    What's Changed

    • (enhancement) adding in a commiter request template to the repository by @nathanbrophy in https://github.com/IBM/operator-permission-advisor/pull/1
    • Rename opa to operator-permission-advisor by @nathanbrophy in https://github.com/IBM/operator-permission-advisor/pull/4

    New Contributors

    • @nathanbrophy made their first contribution in https://github.com/IBM/operator-permission-advisor/pull/1

    Full Changelog: https://github.com/IBM/operator-permission-advisor/compare/v0.0.1...v0.0.2

    Source code(tar.gz)
    Source code(zip)
    checksum.256(100 bytes)
    operator-permission-advisor.tar.gz(22.27 MB)
  • v0.0.1(Apr 12, 2022)

Owner
International Business Machines
International Business Machines
Stop using install.sh! Start using install.yml! DAJE...

Daje - A general purpose Ansible dotfiles installer Configure one time and run everywhere. What is this I've never liked using a big bash script to in

Schrödinger Hat 18 Apr 11, 2022
Fadvisor(FinOps Advisor) is a collection of exporters which collect cloud resource pricing and billing data guided by FinOps, insight cost allocation for containers and kubernetes resource

[TOC] Fadvisor: FinOps Advisor fadvisor(finops advisor) is used to solve the FinOps Observalibility, it can be integrated with Crane to help users to

Crane 16 May 13, 2022
Basic Kubernetes operator that have multiple versions in CRD. This operator can be used to experiment and understand Operator/CRD behaviors.

add-operator Basic Kubernetes operator that have multiple versions in CRD. This operator can be used to experiment and understand Operator/CRD behavio

Dinesh Parvathaneni 0 Dec 15, 2021
An operator which complements grafana-operator for custom features which are not feasible to be merged into core operator

Grafana Complementary Operator A grafana which complements grafana-operator for custom features which are not feasible to be merged into core operator

Snapp Cab Incubators 2 Mar 5, 2022
operator to install cluster manager and klusterlet.

registration-operator Minimum cluster registration and work Community, discussion, contribution, and support Check the CONTRIBUTING Doc for how to con

Open Cluster Management 47 May 1, 2022
Savoir - A tool to perform tasks during internal security assessment

Savoir Savoir is a tool to perform tasks during internal security assessment. Th

Vincent D. 6 Apr 26, 2022
github-actions-merger is github actions that merges pull request with commit message including pull request labels.

github-actions-merger github-actions-merger is github actions that merges pull request with commit message including pull request labels. Usage Write

ABEMA 5 Mar 13, 2022
Testcontainers is a Golang library that providing a friendly API to run Docker container. It is designed to create runtime environment to use during your automatic tests.

When I was working on a Zipkin PR I discovered a nice Java library called Testcontainers. It provides an easy and clean API over the go docker sdk to

null 1.4k May 12, 2022
🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

cosign-gatekeeper-provider To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying i

sigstore 37 May 4, 2022
Andrews-monitor - A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the pandemic when the dining hall was only available for online order.

Andrews Dining Hall Monitor A Go program to monitor when times were available to order for Brown's Andrews dining hall. Used during the portion of the

null 0 Jan 1, 2022
k8s-image-swapper Mirror images into your own registry and swap image references automatically.

k8s-image-swapper Mirror images into your own registry and swap image references automatically. k8s-image-swapper is a mutating webhook for Kubernetes

Enrico Stahn 300 May 1, 2022
This action prints "true" if image is required to update based on the base image update.

container-image-updater This action prints "true" if image is required to update based on the base image update. Inputs Name Type Description base-ima

Manjunath Kumatagi 1 Apr 15, 2022
The Elastalert Operator is an implementation of a Kubernetes Operator, to easily integrate elastalert with gitops.

Elastalert Operator for Kubernetes The Elastalert Operator is an implementation of a Kubernetes Operator. Getting started Firstly, learn How to use el

null 18 Apr 13, 2022
Test Operator using operator-sdk 1.15

test-operator Test Operator using operator-sdk 1.15 operator-sdk init --domain rbt.com --repo github.com/ravitri/test-operator Writing kustomize manif

Ravi Trivedi 0 Dec 28, 2021
Minecraft-operator - A Kubernetes operator for Minecraft Java Edition servers

Minecraft Operator A Kubernetes operator for dedicated servers of the video game

James Laverack 6 May 10, 2022
K8s-network-config-operator - Kubernetes network config operator to push network config to switches

Kubernetes Network operator Will add more to the readme later :D Operations The

Daniel Hertzberg 5 May 2, 2022
a k8s operator 、operator-sdk

helloworld-operator a k8s operator 、operator-sdk Operator 参考 https://jicki.cn/kubernetes-operator/ https://learnku.com/articles/60683 https://opensour

Mark YiL 0 Jan 27, 2022
kube-champ 33 Apr 21, 2022