Skip to content

feat: Replace RBACRule with RBACRoleRule #219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

feat: Replace RBACRule with RBACRoleRule #219

wants to merge 9 commits into from

Conversation

mattwelke
Copy link
Contributor

@mattwelke mattwelke commented Aug 1, 2024
edited
Loading

Issue

Resolves #215

Description

The original RBAC rule behaved somewhat "magically". It ensured that a security principal had all the specified permissions, but did not allow the Validator user to validate which roles provided the permissions and how it provided them. For example:

  • The role's type (built-in vs. custom)
  • The role's display name
  • The scope at which the role was applied via a role assignment (being able to validate this helps prevent over-permissioning)
  • The exact way the permissions were defined in the role (also helps prevent over-permissioning)

Another disadvantage was that the spec did not allow wildcards because of the algorithm the controller used.

This new rule addresses the above problems. It allows users to validate that a role is applied via a role assignment to a security principal at an exact scope. It uses the role assignment and role definition REST APIs from Azure.

Example:

apiVersion: validation.spectrocloud.labs/v1alpha1
kind: AzureValidator
metadata:
  name: azurevalidator-rbacrole-one-role-assignment
spec:
  auth:
    implicit: false
    secretName: azure-creds
  rbacRoleRules:
  - name: rule-1
    principalId: 09d6f010-cda3-41a2-a853-5a1bfe448f58
    roleAssignments:
    - scope: /subscriptions/cdd14191-5cc7-4d80-83c1-524a3046b9bd
      role:
        name: MyCustomRole
        type: CustomRole
        permission:
          actions:
          - Microsoft.Compute/virtualMachines/write

Also removes kubebuilder MaxLength annotations from strings in the spec that don't need it because they aren't used with other kubebuilder validations where string length is problematic (e.g. ensuring uniqueness).

Also removes the ActionStr type because its only purpose was to support MaxLength validation, and actions/dataActions/notActions/notDataActions do not need max length validation.

mattwelke added 4 commits July 30, 2024 18:40
@mattwelke
wip
c59ef5d 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke
New rule working. Add sample.
d290469 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke
Update chart.
431602a 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke
Finish RBACRoleRule. Remove RBACRule.
23f05ae 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke mattwelke requested a review from a team as a code owner August 1, 2024 19:35
@mattwelke mattwelke requested a review from TylerGillson August 1, 2024 19:35
@dosubot dosubot bot added the size:XXL This PR changes 1000+ lines, ignoring generated files. label Aug 1, 2024
@dosubot dosubot bot added the enhancement Enhancement to an existing feature label Aug 1, 2024
@mattwelke
Remove unnecessary MaxLenth annotations.
3162d4e 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke
Remove unused constant.
42386e2 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke
Remove unnecessary ActionStr type.
6d30a79 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
TylerGillson
TylerGillson reviewed Aug 1, 2024
View reviewed changes
@mattwelke
Installed frigate and ran make reviewable.
77a137f 
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
@mattwelke
Copy link
Contributor Author

As discussed offline, we will be sticking with the original rule since it achieves our goal of validating that a particular security principal has at least a particular set of permissions at a particular scope (multiple times, one for each scope), without support for wildcards, "not actions", and "not data actions" being required right now.

@mattwelke mattwelke closed this Aug 2, 2024
@mattwelke mattwelke mentioned this pull request Aug 2, 2024
Merged
TylerGillson pushed a commit that referenced this pull request Aug 2, 2024
@mattwelke
docs: principal ID and rules in readme (#222)
db29a62 
## Issue
There wasn't much guidance on how to specify the correct `principalId`
in the spec for RBAC rule. Azure is complex when it comes to this. There
are four GUIDs users see in the Azure Portal, where three of them are
unique to each Entra ID identify they create. We need to guide them.

## Description
Clarifies how principalID works in the docs. This includes the docstring
generated by kubebuilder and some additions to the readme that go into
detail about it, including screenshots.

Because there is now a readme section on each rule in detail, there is a
part where it describes the community gallery image rule too. But there
isn't much to say about that rule right now.

Also removes some unneeded `MaxLength` annotations (because they aren't
used in other kubebuilder validations where long strings are
problematic).

Note that unlike in the PR
#219, the
`ActionStr` type and its `MaxLength` annotation must remain. This is
because the RBAC rule forbids wildcards in specified permissions and
kubebuilder validation here validates this, which is a type of
kubebuilder validation where long strings are problematic. We need
`ActionStr` because we need to place the `MaxLength` annotation on the
list of actions in a way where it is applied to each string in a slice
of strings, and this is the recommended way to do that right now.

---------

Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TylerGillson TylerGillson TylerGillson left review comments

Assignees
No one assigned
Labels
enhancement Enhancement to an existing feature size:XXL This PR changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

✨ Add RBAC role rule
2 participants
@mattwelke @TylerGillson