Badrobot is a Kubernetes Operator audit tool. It statically analyses manifests for high risk configurations such as lack of security restrictions on the deployed controller and the permissions of an associated clusterole. The risk analysis is primarily focussed on the likelihood that a compromised Operator would be able to obtain full cluster permissions.
ptx96
commented
2 years ago
Describe the feature
The CI pipeline could integrate static security analysis on the (
Cluster)Rolesthat the operator would run with.What would the new user story look like?
As a maintainer, I would like that contribution would pass a static analysis of RBAC being introduced before being integrated.
This is one of the examples of shifting left the security, statically analyzing (SAST) before the integration of software.
Expected behavior
First step: RBAC
One first approach could be adding a job in the CI Github workflow, that would audit through tools.
Tools: BadRobot.