Skip to content

Commit cb9f36c

Browse files
committed
feat(KONFLUX-9093): Add tool for validating role RBAC
In KONFLUX-9093, there is a request to enable roles to be cerated in namespaces via Argo. In order to allow this, we need to be able to guarantee that the roles are not granting permissions that users would normally not have (but which Argo would have). We can use k8s tooling to ensure that permissions are not exceeding some reference roles. Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: arewm <arewm@users.noreply.github.com> rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
1 parent 2083a26 commit cb9f36c

25 files changed

Lines changed: 2052 additions & 7 deletions

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
tools/rbac-validator
2+
*/venv

.tekton/ci-checks.yaml

Lines changed: 147 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,147 @@
1+
apiVersion: tekton.dev/v1
2+
kind: Task
3+
metadata:
4+
name: ci-checks
5+
labels:
6+
app.kubernetes.io/version: "0.1"
7+
annotations:
8+
tekton.dev/pipelines.minVersion: "0.12.1"
9+
tekton.dev/categories: CI
10+
tekton.dev/tags: ci,golang,rbac,validation
11+
tekton.dev/displayName: "CI Checks"
12+
tekton.dev/platforms: "linux/amd64,linux/arm64"
13+
spec:
14+
description: >-
15+
This task runs CI checks for the RBAC validator tool including format checking,
16+
linting, testing, and build verification. It uses the trusted artifact pattern
17+
to retrieve source code.
18+
params:
19+
- name: SOURCE_ARTIFACT
20+
description: The Trusted Artifact URI pointing to the application source code
21+
type: string
22+
- name: WORKING_DIR
23+
description: Working directory for the CI checks
24+
type: string
25+
default: "tools"
26+
- name: GO_VERSION
27+
description: Go version to use for building and testing
28+
type: string
29+
default: "1.22"
30+
results:
31+
- name: TEST_OUTPUT
32+
description: Output from the test execution
33+
- name: BUILD_STATUS
34+
description: Status of the build process
35+
volumes:
36+
- name: workdir
37+
emptyDir: {}
38+
stepTemplate:
39+
volumeMounts:
40+
- mountPath: /var/workdir
41+
name: workdir
42+
steps:
43+
- name: use-trusted-artifact
44+
image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d
45+
args:
46+
- use
47+
- $(params.SOURCE_ARTIFACT)=/var/workdir/source
48+
volumeMounts:
49+
- mountPath: /var/workdir
50+
name: workdir
51+
52+
- name: ci-checks
53+
image: registry.access.redhat.com/ubi9/go-toolset:1.24.4-1754467841@sha256:3f552f246b4bd5bdfb4da0812085d381d00d3625769baecaed58c2667d344e5c
54+
workingDir: /var/workdir/source/$(params.WORKING_DIR)
55+
env:
56+
- name: GOCACHE
57+
value: /var/workdir/.cache/go-build
58+
- name: GOMODCACHE
59+
value: /var/workdir/.cache/go-mod
60+
- name: CGO_ENABLED
61+
value: "0"
62+
script: |
63+
#!/bin/bash
64+
set -uo pipefail
65+
66+
# Track overall success
67+
OVERALL_SUCCESS=true
68+
69+
echo "=== Starting CI checks for RBAC validator ==="
70+
# Ensure we're in the tools directory
71+
if [[ ! -f "rbac-validator.go" ]]; then
72+
echo "Error: rbac-validator.go not found in current directory"
73+
echo "Current directory contents:"
74+
ls -la
75+
exit 1
76+
fi
77+
78+
# Create cache directories
79+
mkdir -p /var/workdir/.cache/go-build /var/workdir/.cache/go-mod
80+
81+
echo "=== Installing golangci-lint ==="
82+
export PATH=$PATH:$(go env GOPATH)/bin
83+
go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.62.2
84+
85+
echo "=== Running format check ==="
86+
if [ -n "$(gofmt -l .)" ]; then
87+
echo "Code is not formatted. Files needing formatting:"
88+
gofmt -l .
89+
echo "FAIL: Code formatting check failed"
90+
exit 1
91+
fi
92+
echo "PASS: Code formatting check"
93+
94+
echo "=== Running golangci-lint ==="
95+
export PATH=$PATH:$(go env GOPATH)/bin
96+
if golangci-lint run --build-tags="" --max-issues-per-linter=0 --max-same-issues=0; then
97+
echo "PASS: Linting check"
98+
else
99+
echo "FAIL: Linting check"
100+
OVERALL_SUCCESS=false
101+
fi
102+
103+
echo "=== Running tests ==="
104+
if go test -v ./... | tee /var/workdir/test-output.txt; then
105+
echo "PASS: All tests"
106+
else
107+
echo "FAIL: All tests"
108+
OVERALL_SUCCESS=false
109+
fi
110+
111+
echo "=== Running testdata validation tests ==="
112+
if go test -v -run "TestAllowedRoles|TestDeniedRoles|TestBinaryWithTestData|TestTestDataCompleteness"; then
113+
echo "PASS: Testdata validation"
114+
else
115+
echo "FAIL: Testdata validation"
116+
OVERALL_SUCCESS=false
117+
fi
118+
119+
echo "=== Building binary ==="
120+
if go build -o rbac-validator rbac-validator.go; then
121+
echo "PASS: Binary build"
122+
else
123+
echo "FAIL: Binary build"
124+
OVERALL_SUCCESS=false
125+
fi
126+
127+
echo "=== Verifying binary functionality ==="
128+
if echo '{"userRules": [], "referenceRules": []}' | ./rbac-validator; then
129+
echo "PASS: Binary execution test"
130+
else
131+
echo "FAIL: Binary execution test"
132+
OVERALL_SUCCESS=false
133+
fi
134+
135+
if [ "$OVERALL_SUCCESS" = "true" ]; then
136+
echo "=== All CI checks completed successfully ==="
137+
else
138+
echo "=== CI checks completed with failures ==="
139+
exit 1
140+
fi
141+
volumeMounts:
142+
- mountPath: /var/workdir
143+
name: workdir
144+
# git clone is made as user 0, so we need to be this user too because
145+
# the trusted artifacts are restored as this user as well.
146+
securityContext:
147+
runAsUser: 0

.tekton/konflux-release-data-ci-worker-pull-request.yaml

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,15 @@ metadata:
1010
pipelinesascode.tekton.dev/max-keep-runs: "3"
1111
pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" &&
1212
( ".tekton/konflux-release-data-ci-worker-pull-request.yaml".pathChanged() ||
13+
".tekton/ci-checks.yaml".pathChanged() ||
1314
"Containerfile".pathChanged() ||
1415
"rpms.lock.yaml".pathChanged() ||
15-
"requirements.txt".pathChanged() )
16+
"requirements.txt".pathChanged() ||
17+
"tools/rbac-validator.go".pathChanged() ||
18+
"tools/rbac-validator_test.go".pathChanged() ||
19+
"tools/Makefile".pathChanged() ||
20+
"tools/.golangci.yml".pathChanged() ||
21+
"tools/testdata/**".pathChanged() )
1622
creationTimestamp: null
1723
labels:
1824
appstudio.openshift.io/application: konflux-release-data-ci
@@ -38,7 +44,7 @@ spec:
3844
- name: path-context
3945
value: .
4046
- name: prefetch-input
41-
value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}]}'
47+
value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}, {"type": "gomod", "path": "tools"}]}'
4248
pipelineSpec:
4349
description: |
4450
This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -214,6 +220,28 @@ spec:
214220
workspace: git-auth
215221
- name: netrc
216222
workspace: netrc
223+
- name: ci-checks
224+
params:
225+
- name: SOURCE_ARTIFACT
226+
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
227+
- name: WORKING_DIR
228+
value: "tools"
229+
runAfter:
230+
- prefetch-dependencies
231+
taskRef:
232+
resolver: git
233+
params:
234+
- name: url
235+
value: $(params.git-url)
236+
- name: revision
237+
value: $(params.revision)
238+
- name: pathInRepo
239+
value: .tekton/ci-checks.yaml
240+
when:
241+
- input: $(tasks.init.results.build)
242+
operator: in
243+
values:
244+
- "true"
217245
- matrix:
218246
params:
219247
- name: PLATFORM

.tekton/konflux-release-data-ci-worker-push.yaml

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,15 @@ metadata:
99
pipelinesascode.tekton.dev/max-keep-runs: "3"
1010
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" &&
1111
( ".tekton/konflux-release-data-ci-worker-push.yaml".pathChanged() ||
12+
".tekton/ci-checks.yaml".pathChanged() ||
1213
"Containerfile".pathChanged() ||
1314
"rpms.lock.yaml".pathChanged() ||
14-
"requirements.txt".pathChanged() )
15+
"requirements.txt".pathChanged() ||
16+
"tools/rbac-validator.go".pathChanged() ||
17+
"tools/rbac-validator_test.go".pathChanged() ||
18+
"tools/Makefile".pathChanged() ||
19+
"tools/.golangci.yml".pathChanged() ||
20+
"tools/testdata/**".pathChanged() )
1521
creationTimestamp: null
1622
labels:
1723
appstudio.openshift.io/application: konflux-release-data-ci
@@ -35,7 +41,7 @@ spec:
3541
- name: path-context
3642
value: .
3743
- name: prefetch-input
38-
value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}]}'
44+
value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}, {"type": "gomod", "path": "tools"}]}'
3945
pipelineSpec:
4046
description: |
4147
This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -211,6 +217,28 @@ spec:
211217
workspace: git-auth
212218
- name: netrc
213219
workspace: netrc
220+
- name: ci-checks
221+
params:
222+
- name: SOURCE_ARTIFACT
223+
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
224+
- name: WORKING_DIR
225+
value: "tools"
226+
runAfter:
227+
- prefetch-dependencies
228+
taskRef:
229+
resolver: git
230+
params:
231+
- name: url
232+
value: $(params.git-url)
233+
- name: revision
234+
value: $(params.revision)
235+
- name: pathInRepo
236+
value: .tekton/ci-checks.yaml
237+
when:
238+
- input: $(tasks.init.results.build)
239+
operator: in
240+
values:
241+
- "true"
214242
- matrix:
215243
params:
216244
- name: PLATFORM

Containerfile

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,24 @@
11
FROM quay.io/konflux-ci/yq@sha256:15d0238843d954ee78c9c190705eb8b36f6e52c31434183c37d99a80841a635a as yq
22
FROM registry.redhat.io/openshift4/ose-cli-artifacts-rhel9:v4.17.0-202504091537.p0.g0000b3e.assembly.stream.el9 as oc
33

4+
# Build stage for RBAC validator
5+
FROM registry.access.redhat.com/ubi9/go-toolset:1.24.4-1754467841@sha256:3f552f246b4bd5bdfb4da0812085d381d00d3625769baecaed58c2667d344e5c as go-builder
6+
7+
# Copy tools directory and build the binary
8+
COPY --chown=default tools/ /workspace/tools/
9+
WORKDIR /workspace/tools
10+
RUN go mod download && \
11+
go build -o rbac-validator rbac-validator.go
12+
13+
# Main stage
414
FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:8851294389a8641bd6efcd60f615c69e54fb0e2216ec8259448b35e3d9a11b06
515

616
COPY --from=yq /usr/bin/yq /usr/bin/yq
717
COPY --from=oc /usr/bin/oc /usr/bin/oc
18+
COPY --from=go-builder /workspace/tools/rbac-validator /usr/local/bin/rbac-validator
19+
20+
# Ensure the binary is executable
21+
RUN chmod +x /usr/local/bin/rbac-validator
822

923
RUN dnf -y install git \
1024
ruby \
@@ -20,7 +34,6 @@ COPY requirements.txt ./
2034

2135
RUN pip3 install -r requirements.txt
2236

23-
2437
# Because Cachi2 doesn't support ruby, we've got to gem install it for now
2538
# Can look into building it from source later, although without prefetch
2639
# not much more secure

0 commit comments

Comments
 (0)