search

PaloAltoNetworks / rbac-police

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego
https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms
MIT License
339 stars 35 forks source link

Add local file reading #4

Closed smarticu5 closed 2 years ago

smarticu5 commented 2 years ago

Is your feature request related to a problem?

rbac-police requires a connection to the Kubernetes cluster. This is not always possible in a locked down environment.

Describe the solution you'd like

Additional functionality which allows rbac-police to process local manifest files (either in .json or .yaml). I propose this could be added using a --local-file flag to the collect command.

Describe alternatives you've considered

My current alternative is to create a new test cluster and apply existing RBAC to that, which is not the most reliable of offerings as there are occasional conflicts between default resources and what I'm adding.

Additional context

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

yuvalavra commented 2 years ago

Done via #8, use --local-dir <dir> to run in offline mode. You can use utils/get_cluster_data.sh to get the data needed for an offline run