-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(plugins/k8saudit/rules): split rbac rules by individual rbac object #484
Conversation
@alacuku, it looks like the new tag format is missing somewhere, the actual git tag is
Hopefully you have time to have a look 🙏 |
The #482 has not been merged yet. Could you rebase on that? |
f1ebc84
to
28ff9b4
Compare
/retest |
@sboschman, #482 extends the rules checker so it impacts all the plugins. Found bug, related to how we built the tag for the plugins. I just pushed the fix. Could you please rebase on it? |
28ff9b4
to
fcc9b5e
Compare
Rules files suggestionsrulesComparing No changes detected |
nice @alacuku , the build succeeds Not sure what this 'rules files suggestions' is supposed to do, it says:
But this PR changed the rules... so should it show a diff in the rules? |
I'm not the original author of the CI, so can't say. I modified that part of the CI maybe I missed something. I'll have a look at it right now. |
@sboschman, I pushed the fix #482. Could you test it? |
fcc9b5e
to
349d08c
Compare
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
349d08c
to
029593e
Compare
Rules files suggestionsrulesComparing Major changes:
Minor changes:
|
☝️ @alacuku nice looking rules comparison 💪 |
@Issif could you take a look at this please? 🙏 |
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It makes totally sense, and the changes are correct to me. IMHO it requires also a bump of the version of the rules (with the relevant changelog).
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
91c4f05
to
e36500b
Compare
Rules files suggestionsrulesComparing Major changes:
Minor changes:
|
@Issif version bump and changelog are included |
Good to me, cc @leogr /lgtm |
LGTM label has been added. Git tree hash: c9800ba45cb8a40255fc1eca0b5aef61eb6fb0bd
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Issif, leogr, sboschman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
/kind feature
Any specific area of the project related to this PR?
/area plugins
What this PR does / why we need it:
k8saudit ruleset is only detecting create/delete events for
ClusterRoleBinding
objects. As the rules do detect the create/delete events forRole
objects, it makes sense to detect create/delete events forRoleBinding
objects as well.As
Role
andRoleBinding
are namespace scoped objects, I did split the rules out for each individual rbac object to include the namespace field into the output. As well as to make it easier to see the difference between cluster wide and namespace scoped objects by rule name, instead of having to parse out the 'resources' field.Which issue(s) this PR fixes:
Fixes #319
Special notes for your reviewer: