search

imjasonh / ideas

A place for me to file issues against myself for things I want to build when I'm bored
5 stars 0 forks source link

K8s controller RBAC permission right-sizer #90

Closed imjasonh closed 3 years ago

imjasonh commented 3 years ago

When writing a complex k8s controller it can be difficult to fully catalog what permissions it needs to run. You might just request a bunch of access you don't need and be content that it runs successfully. But that's bad.

Instead, it'd be cool to have a tool that ran some e2e tests while recording what the controller does.

  1. start a Kind cluster with audit logging configured to send requests to a collector
  2. install controller
  3. run some e2e test scenarios
  4. aggregate all the audited requests made by the controller
  5. produce Roles and/or ClusterRoles describing all the stuff the controller did during the tests
imjasonh commented 3 years ago

kind cluster create accepts a config file which can take kubeadm config patches, and kubeadm config can set apiserver flags to write audit logs to a file (newline-delimited JSON objects)

imjasonh commented 3 years ago

Setup KinD cluster to generate audit logs

/tmp/audit/policy.yaml:

apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata
  stages:
  - ResponseComplete

config.yaml:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  extraMounts:
  - hostPath: /tmp/audit
    containerPath: /etc/kubernetes/pki/audit
    readOnly: False
kubeadmConfigPatches:
- |
  kind: ClusterConfiguration
  metadata:
    name: config
  apiServer:
    extraArgs:
      "audit-policy-file": "/etc/kubernetes/pki/audit/policy.yaml"
      "audit-log-path": "/etc/kubernetes/pki/audit/audit.log"

Create the KinD cluster:

kind create cluster --name=audit --config=config.yaml

Run e2e tests

[not pictured]

Collect usage data

The KinD cluster's control plane node writes newline-delimited JSON objects to /tmp/audit/audit.log, which you can process with jq, grep, etc.

cat /tmp/audit/audit.log | jq '. | "\(.objectRef.apiGroup)/\(.objectRef.apiVersion) \(.objectRef.resource) \(.verb) \(.objectRef.namespace) \(.user.username)"' | grep tekton-pipelines-controller\" | sort -u
Full output ``` "null/v1 configmaps get tekton-pipelines system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 configmaps list tekton-pipelines system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 configmaps watch tekton-pipelines system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events create arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 events patch arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 limitranges list arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 persistentvolumeclaims get arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods create arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods delete arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods delete arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods delete arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods delete arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods get arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods patch arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 pods watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 secrets get arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "null/v1 serviceaccounts get arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1alpha1 conditions list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1alpha1 conditions watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1alpha1 pipelineresources list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1alpha1 pipelineresources watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1alpha1 runs list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1alpha1 runs watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 clustertasks list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 clustertasks watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns get arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns update arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelineruns watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelines list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 pipelines watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns create arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns get arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns patch arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns patch arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns patch arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns patch arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-4zshb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-6kbxb system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-986s4 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-cpvds system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-db6bf system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-gvc8s system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-hk6gz system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-jzr24 system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-l8j2n system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-q2pls system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-xkpgg system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns update arendelle-zrstn system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 taskruns watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 tasks list null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" "tekton.dev/v1beta1 tasks watch null system:serviceaccount:tekton-pipelines:tekton-pipelines-controller" ```

It probably makes sense to separate these requests into buckets for "my namespace(s)" (tekton-pipelines) and "other namespaces" (arendelle-zrstn), to tell whether it should be granted by a namespaced Role or a ClusterRole.

imjasonh commented 3 years ago

Of course after I wrote a bunch of code I find out this already exists 🤦‍♂️

https://github.com/alcideio/rbac-tool#rbac-tool-auditgen

based on

https://github.com/liggitt/audit2rbac https://www.youtube.com/watch?v=n2cD20moYe8

The KinD+e2e tests part seems novel at least, I can hook that up to these tools.

imjasonh commented 3 years ago

https://github.com/imjasonh/rbac-audit