Add analysis rule for Gateway API resources (#54)

* Add analysis rule for Gateway API resources

pkg/analysis/default-rules.yaml

@@ -207,6 +207,32 @@ Rules:
       )
     Exclusions: []
 
+  - Name: Networking - Manipulate Gateway API Resources
+    Description: |
+      Capture principals that can manipulate shared cluster networking services such as
+      Gateway Classes, Gateways, HTTPRoutes, TLSRoutes, etc,.
+    Severity: HIGH
+    Uuid: 337c205f-7479-4a31-9057-03c6c8d2f80e
+    Recommendation: |
+      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
+      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
+    References:
+      - https://gateway-api.sigs.k8s.io/
+
+
+    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
+    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
+    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
+    AnalysisExpr: |
+      subjects.filter(
+        subject, has(subject.allowedTo) && subject.allowedTo.exists(
+          rule,
+          (has(rule.verb) && rule.verb in ['create', 'delete', 'update', 'patch', '*']) &&
+          (has(rule.resource) && rule.resource in ['gatewayclasses', 'gateways', 'httproutes', 'tcproutes', 'tlsroutes', 'udproutes', '*']) &&
+          (has(rule.apiGroup) && rule.apiGroup in ['gateway.networking.k8s.io', '*'])        )
+      )
+    Exclusions: []
+
   - Name: Installing or Modifying Admission Controllers
     Description: Capture principals that can install/update Kubernetes admission controllers of any kind
     Severity: CRITICAL

testdata/whocan/gatewat-api-operator.yaml

@@ -0,0 +1,48 @@
+#
+# Install:
+# kubectl apply -f testdata/whocan/gatewat-api-operator.yaml
+#
+# Run:
+# bin/rbac-tool who-can get gateways | grep gateway-network-operator
+#
+# Expect:
+#
+#  ServiceAccount | gateway-network-operator-sa          | test
+#  User           | gateway-network-operator-user        |
+#
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gateway-network-operator-role
+rules:
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["*"]
+    verbs: ["create", "update", "delete", "patch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+# This role binding allows "jane" to read pods in the "default" namespace.
+# You need to already have a Role named "pod-reader" in that namespace.
+kind: RoleBinding
+metadata:
+  name: gateway-network-operator
+  namespace: test
+subjects:
+  # You can specify more than one "subject"
+  - kind: User
+    name: gateway-network-operator-user # "name" is case sensitive
+    apiGroup: rbac.authorization.k8s.io  # You can specify more than one "subject"
+  - kind: ServiceAccount
+    name: gateway-network-operator-sa # "name" is case sensitive
+    namespace: test
+roleRef:
+  # "roleRef" specifies the binding to a Role / ClusterRole
+  kind: ClusterRole #this must be Role or ClusterRole
+  name: gateway-network-operator-role # this must match the name of the Role or ClusterRole you wish to bind to
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gateway-network-operator-sa
+  namespace: test