Rbac Police Versions Save

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego

v1.1.2

1 year ago

Changelog

  • f4e38ed Add --zoom flag which expands the permissions of a specific identity
  • 8119d6b Update README.md
  • c4f29d1 Add example image to README.md

v1.1.1

1 year ago

Changelog

  • 3856324 Stop releasing PIE builds as they're not statically linked
  • 0fc8bfc Update collect.md
  • 508fe55 Update README.md

v1.1.0

1 year ago

New

  • Retrieve and evaluate the permissions of individual users and groups (disabled by default, enabled through the new --violations flag).
  • Control the indent of JSON output with the new --json-indent flag, useful for shrinking output size.
  • Slight performance improvements.

Breaking changes

  • Policies now use a targets set to define the violations they produce, instead of the checkXXX variables. A policy that defined checkServiceAccounts := true and checkNodes := true for example, would now need to replace these with targets := {"serviceAccounts", "nodes"}. The policy library has been updated. Custom policies can be updated using the ./utils/update_policy_to_use_targets.py script.
  • The --no-XXX-violations flags have been replaced with a new --violations flag, see configure-violation-types.

Changelog

  • 217e52d Add --json-indent to help docs
  • 4539fdf Update policies.md
  • a1c6eb6 Add --json-indent option
  • f33987f Update .gitignore
  • 75d16cd Update policies.md
  • 373bb1c Update policies.md
  • cbc5c66 Update policies.md
  • f628a7d Update README.md
  • df5f672 Add script that updates policies to use the new 'targets' set
  • abbfef4 purge dangeling roles & identities before passing input to policies
  • b3ad5e5 Stop indenting collect's out to save disk space
  • 3e1a3e6 Recreate store buffer for each policy evalutation
  • cd2fd6b Collect user & group roles and produce user & group violations, BREAKING minor policy format change, BREAKING replace old --no-XXX-violations flags with new --violations flag
  • ffe47f7 Update README.md
  • 528b331 Update README.md

v1.0.1

1 year ago

Changelog

  • 25dd22a Add offline mode
  • 7ab8552 Add built test action on pull requests

v1.0.0

1 year ago

Changelog

  • 28a31c1 Add goreleaser
  • 6eb7fc9 identify legacyTokenSecrets when collection is scoped to a namespace
  • c78c9d2 discover protections final touches
  • 8af0be9 Merge pull request #7 from PaloAltoNetworks/node-restriction
  • 7dc5474 Collect NodeRestriction, consume in affected policies
  • 386ee2c Update README.md
  • f7f42eb Add some docs for protection discovery
  • b992f18 Merge pull request #6 from PaloAltoNetworks/auto-discover
  • c89a15f Discover protections infra, add support for identifying LegacyServiceAccountToken feature gates
  • d7d489b Use 'in' keyword in policies
  • 5674782 Update obtain_token_weak_ns.rego
  • 64f22c1 Fix constraint yaml, better policy descriptions
  • 8630599 add SUPPORT.md
  • 9ffa6df set min go version to 1.16
  • ed3fe9b Update README.md
  • d2937e2 description updates for 2 policies
  • 181b498 first commit