Skip to content

feat: public blob rule (PAD-272) #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

feat: public blob rule (PAD-272) #198

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
86d5b24
WIP new public blob rule.
mattwelke Jul 10, 2024
1e1270d
Finish rule. Add sample.
mattwelke Jul 11, 2024
e667fd8
make reviewable
mattwelke Jul 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile.devspace
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Build the manager binary
FROM --platform=$TARGETPLATFORM golang:1.22-alpine3.20 as builder
FROM --platform=$TARGETPLATFORM golang:1.22-alpine3.20 AS builder
ARG TARGETOS
ARG TARGETARCH

Expand Down
31 changes: 25 additions & 6 deletions api/v1alpha1/azurevalidator_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,20 +22,22 @@ import (

// AzureValidatorSpec defines the desired state of AzureValidator
type AzureValidatorSpec struct {
// Rules for validating that the correct role assignments have been created in Azure RBAC to
// provide needed permissions.
// RBACRules is a list of RBAC rules for the validator.
// +kubebuilder:validation:MaxItems=5
// +kubebuilder:validation:XValidation:message="RBACRules must have unique names",rule="self.all(e, size(self.filter(x, x.name == e.name)) == 1)"
RBACRules []RBACRule `json:"rbacRules,omitempty" yaml:"rbacRules,omitempty"`
// Rules for validating that images exist in an Azure Compute Gallery published as a community
// gallery.
// CommunityGalleryImageRules is a list of community gallery image rules for the validator.
// +kubebuilder:validation:MaxItems=1000
CommunityGalleryImageRules []CommunityGalleryImageRule `json:"communityGalleryImageRules,omitempty" yaml:"communityGalleryImageRules,omitempty"`
Auth AzureAuth `json:"auth" yaml:"auth"`
// PublicBlobRules is a list of public blob rules for the validator.
// +kubebuilder:validation:MaxItems=1000
PublicBlobRules []PublicBlobRule `json:"publicBlobRules,omitempty" yaml:"publicBlobRules,omitempty"`
Auth AzureAuth `json:"auth" yaml:"auth"`
}

// ResultCount returns the number of validation results expected for an AzureValidatorSpec.
func (s AzureValidatorSpec) ResultCount() int {
return len(s.RBACRules) + len(s.CommunityGalleryImageRules)
return len(s.RBACRules) + len(s.CommunityGalleryImageRules) + len(s.PublicBlobRules)
}

// RBACRule verifies that a security principal has permissions via role assignments and that no deny
Expand Down Expand Up @@ -84,6 +86,23 @@ type CommunityGallery struct {
Name string `json:"name" yaml:"name"`
}

// PublicBlobRule verifies that one or more blobs exist in an Azure Blob Storage blob container and
// that they are publicly accessible via HTTPS.
type PublicBlobRule struct {
// Name is a unique identifier for the rule in the validator. Used to ensure conditions do not
// overwrite each other.
// +kubebuilder:validation:MaxLength=200
Name string `json:"name" yaml:"name"`
// StorageAccount is the name of the storage account.
// +kubebuilder:validation:MaxLength=50
StorageAccount string `json:"storageAccount" yaml:"storageAccount"`
// Container is the name of the blob container. It is prepended to the path.
Container string `json:"container" yaml:"container"`
// Paths is a list of paths to the blobs. Each is used to check for a blob, and during each
// check, the path is appended to the container name.
Paths []string `json:"paths" yaml:"paths"`
}

// AzureAuth defines authentication configuration for an AzureValidator.
type AzureAuth struct {
// If true, the AzureValidator will use the Azure SDK's default credential chain to authenticate.
Expand Down
27 changes: 27 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

196 changes: 142 additions & 54 deletions chart/validator-plugin-azure/crds/validation.spectrocloud.labs_azurevalidators.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
controller-gen.kubebuilder.io/version: v0.15.0
name: azurevalidators.validation.spectrocloud.labs
spec:
group: validation.spectrocloud.labs
Expand All @@ -20,71 +20,161 @@ spec:
description: AzureValidator is the Schema for the azurevalidators API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: AzureValidatorSpec defines the desired state of AzureValidator
properties:
auth:
description: AzureAuth defines authentication configuration for an
AzureValidator.
properties:
implicit:
description: If true, the AzureValidator will use the Azure SDK's
default credential chain to authenticate. Set to true if using
WorkloadIdentityCredentials.
description: |-
If true, the AzureValidator will use the Azure SDK's default credential chain to authenticate.
Set to true if using WorkloadIdentityCredentials.
type: boolean
secretName:
description: Name of a Secret in the same namespace as the AzureValidator
that contains Azure credentials. The secret data's keys and
values are expected to align with valid Azure environment variable
credentials, per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.
description: |-
Name of a Secret in the same namespace as the AzureValidator that contains Azure credentials.
The secret data's keys and values are expected to align with valid Azure environment variable credentials,
per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.
type: string
required:
- implicit
type: object
communityGalleryImageRules:
description: CommunityGalleryImageRules is a list of community gallery
image rules for the validator.
items:
description: |-
CommunityGalleryImageRule verifies that one or more images in a community gallery exist and are
accessible by a particular subscription.
properties:
gallery:
description: Gallery is the community gallery.
properties:
location:
description: Location is the location of the community gallery
(e.g. "westus").
maxLength: 50
type: string
name:
description: Name is the name of the community gallery.
maxLength: 200
type: string
required:
- location
- name
type: object
images:
description: Images is a list of image names.
items:
type: string
maxItems: 1000
minItems: 1
type: array
name:
description: |-
Name is a unique identifier for the rule in the validator. Used to ensure conditions do not
overwrite each other.
maxLength: 200
type: string
subscriptionID:
description: SubscriptionID is the ID of the subscription.
type: string
required:
- gallery
- images
- name
- subscriptionID
type: object
maxItems: 1000
type: array
publicBlobRules:
description: PublicBlobRules is a list of public blob rules for the
validator.
items:
description: |-
PublicBlobRule verifies that one or more blobs exist in an Azure Blob Storage blob container and
that they are publicly accessible via HTTPS.
properties:
container:
description: Container is the name of the blob container. It
is prepended to the path.
type: string
name:
description: |-
Name is a unique identifier for the rule in the validator. Used to ensure conditions do not
overwrite each other.
maxLength: 200
type: string
paths:
description: |-
Paths is a list of paths to the blobs. Each is used to check for a blob, and during each
check, the path is appended to the container name.
items:
type: string
type: array
storageAccount:
description: StorageAccount is the name of the storage account.
maxLength: 50
type: string
required:
- container
- name
- paths
- storageAccount
type: object
maxItems: 1000
type: array
rbacRules:
description: Rules for validating that the correct role assignments
have been created in Azure RBAC to provide needed permissions.
description: RBACRules is a list of RBAC rules for the validator.
items:
description: Conveys that a specified security principal (aka principal)
should have the specified permissions, via roles. It doesn't matter
which roles provide the permissions as long as enough role assignments
exist that the principal has all of the permissions and no deny
assignments exist that deny the permissions.
description: |-
RBACRule verifies that a security principal has permissions via role assignments and that no deny
assignments deny the permissions.
properties:
name:
description: Unique identifier for the rule in the validator.
Used to ensure conditions do not overwrite each other.
description: |-
Unique identifier for the rule in the validator. Used to ensure conditions do not overwrite
each other.
type: string
permissionSets:
description: The permissions that the principal must have. If
the principal has permissions less than this, validation will
fail. If the principal has permissions equal to or more than
this (e.g., inherited permissions from higher level scope,
more roles than needed) validation will pass.
description: |-
The permissions that the principal must have. If the principal has permissions less than
this, validation will fail. If the principal has permissions equal to or more than this
(e.g., inherited permissions from higher level scope, more roles than needed) validation
will pass.
items:
description: Conveys that the security principal should be
the member of a role assignment that provides the specified
role for the specified scope. Scope can be either subscription,
description: |-
PermissionSet is part of an RBAC rule and verifies that a security principal has the specified
permissions (via role assignments) at the specified scope. Scope can be either subscription,
resource group, or resource.
properties:
actions:
description: If provided, the actions that the role must
be able to perform. Must not contain any wildcards.
If not specified, the role is assumed to already be
able to perform all required actions.
description: |-
Actions is a list of actions that the role must be able to perform. Must not contain any
wildcards. If not specified, the role is assumed to already be able to perform all required
actions.
items:
description: ActionStr is a type used for Action strings
and DataAction strings. Alias exists to enable kubebuilder
max string length validation for arrays of these.
description: |-
ActionStr is a type used for Action strings and DataAction strings. Alias exists to enable
kubebuilder max string length validation for arrays of these.
maxLength: 200
type: string
maxItems: 1000
Expand All @@ -93,14 +183,14 @@ spec:
- message: Actions cannot have wildcards.
rule: self.all(item, !item.contains('*'))
dataActions:
description: If provided, the data actions that the role
must be able to perform. Must not contain any wildcards.
If not provided, the role is assumed to already be able
to perform all required data actions.
description: |-
DataActions is a list of data actions that the role must be able to perform. Must not
contain any wildcards. If not provided, the role is assumed to already be able to perform
all required data actions.
items:
description: ActionStr is a type used for Action strings
and DataAction strings. Alias exists to enable kubebuilder
max string length validation for arrays of these.
description: |-
ActionStr is a type used for Action strings and DataAction strings. Alias exists to enable
kubebuilder max string length validation for arrays of these.
maxLength: 200
type: string
maxItems: 1000
Expand All @@ -109,11 +199,10 @@ spec:
- message: DataActions cannot have wildcards.
rule: self.all(item, !item.contains('*'))
scope:
description: The minimum scope of the role. Role assignments
found at higher level scopes will satisfy this. For
example, a role assignment found with subscription scope
will satisfy a permission set where the role scope specified
is a resource group within that subscription.
description: |-
Scope is the minimum scope of the role. Role assignments found at higher level scopes will
satisfy this. For example, a role assignment found with subscription scope will satisfy a
permission set where the role scope specified is a resource group within that subscription.
type: string
required:
- scope
Expand All @@ -127,9 +216,9 @@ spec:
rule: self.all(item, size(item.actions) > 0 || size(item.dataActions)
> 0)
principalId:
description: The principal being validated. This can be any
type of principal - Device, ForeignGroup, Group, ServicePrincipal,
or User.
description: |-
The principal being validated. This can be any type of principal - Device, ForeignGroup,
Group, ServicePrincipal, or User.
type: string
required:
- name
Expand All @@ -143,7 +232,6 @@ spec:
rule: self.all(e, size(self.filter(x, x.name == e.name)) == 1)
required:
- auth
- rbacRules
type: object
status:
description: AzureValidatorStatus defines the observed state of AzureValidator
Expand Down
Loading
Loading