Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Badrobot work with SDK #5798

Closed
jberkhahn opened this issue May 24, 2022 · 8 comments
Closed

Make Badrobot work with SDK #5798

jberkhahn opened this issue May 24, 2022 · 8 comments
Assignees
@jberkhahn
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
Backlog

Comments

@jberkhahn
Copy link
Contributor

Hey,

At Kubecon I attended a talk about operators as a threat vector to cluster security. I spoke with Kevin Ward (@wakeward), one of the maintainers on the project, about possibly integrating the tool they built, BadRobot. This issue is a place to discuss that.

Taking a look at the tool, it looks like the tool currently consumes a single yaml manifest that has been collated from the ones to provision the operator. I wonder if it would be possible to make it work on Bundles, at which point it could be packaged as a Validator, once we have External Validators working.
@jberkhahn jberkhahn mentioned this issue May 24, 2022
Open
@wakeward
Copy link

More than happy to look at this. Regarding Bundles, I know you discussed with me rukpak Is this what you had in mind or support for CSV? I think it would also be good to understand how BadRobot will work in this instance (e.g. do you want all rulesets or a subset to start off with to encourage developers to review basic security configurations first?).

@jberkhahn
Copy link
Contributor Author

When I say Bundles, I mean the off-cluster artifact that is produced by SDK when you package an operator for OLM, see example here. This is what is hosted on Operator Hub, and what our validators are run against. Due to rukpak it is likely the exact contents of a Bundle is going to change in the future, however.

@everettraven
Copy link
Contributor

@ryantking is working on conversion logic from the current bundle format to the new rukpak format so he may have so additional insight as to the changes that a bundle may have in the future.

@ryantking
Copy link
Contributor

For reference, here's the very WIP PR on that: https://github.com/operator-framework/rukpak/pull/396/files

@jberkhahn jberkhahn self-assigned this Jun 6, 2022
@jberkhahn jberkhahn added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Jun 6, 2022
@varshaprasad96 varshaprasad96 added this to the Backlog milestone Jun 13, 2022
@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 12, 2022
@openshift-bot
Copy link

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 12, 2022
@openshift-bot
Copy link

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci openshift-ci bot closed this as completed Nov 12, 2022
@openshift-ci
Copy link

openshift-ci bot commented Nov 12, 2022

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jberkhahn jberkhahn

Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
6 participants
@openshift-bot @ryantking @jberkhahn @wakeward @everettraven @varshaprasad96