You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It'd be great if users could run rbac-audit more easily in their CI, to identify overly broad permissions and to surface new behavior that adds newly required permissions. A way this could look for GitHub Actions is:
This config would check out the user's repo, install Go, set up a KinD cluster for rbac-audit and set KUBECONFIG, then run ./my-e2e-tests.sh. After the test, the action could check that RBAC config in config/rbac.yaml matches the policy generated by rbac-audit, and fail with diff output otherwise.
This would require:
stable output from rbac-audit generated policies to avoid spurious diffs (mostly already there)
semantic diff to ignore any non-RBAC config, differing whitespace/styling, etc., that is encountered in the user's rbac.yaml -- e.g., verbs: ['a', 'b', 'c'] is functionally equivalent to verbs: ['c', 'a', 'b'], and should be ignored.
allowing users some way to mark a config as ignored for rbac-audit purposes, to account for manual edits
The text was updated successfully, but these errors were encountered:
It'd be great if users could run rbac-audit more easily in their CI, to identify overly broad permissions and to surface new behavior that adds newly required permissions. A way this could look for GitHub Actions is:
This config would check out the user's repo, install Go, set up a KinD cluster for rbac-audit and set
KUBECONFIG
, then run./my-e2e-tests.sh
. After the test, the action could check that RBAC config inconfig/rbac.yaml
matches the policy generated by rbac-audit, and fail with diff output otherwise.This would require:
verbs: ['a', 'b', 'c']
is functionally equivalent toverbs: ['c', 'a', 'b']
, and should be ignored.The text was updated successfully, but these errors were encountered: