🔥 Delete permissionFiles folder

2025-07-17 09:51:56 +00:00 · 2023-04-20 03:52:15 +03:00 · 2023-04-20 03:52:15 +03:00 · e65656c1df
commit e65656c1df
parent df7d1ac10c
8 changed files with 3 additions and 242 deletions
--- a/cmd/check/kubernetesPermissions.go
+++ b/cmd/check/kubernetesPermissions.go
@ -2,48 +2,16 @@ package check

 import (
 	"context"
-	"embed"
 	"fmt"

-	"github.com/kubeshark/kubeshark/config"
 	"github.com/kubeshark/kubeshark/kubernetes"
 	"github.com/rs/zerolog/log"
 	rbac "k8s.io/api/rbac/v1"
-	"k8s.io/client-go/kubernetes/scheme"
 )

-func KubernetesPermissions(ctx context.Context, embedFS embed.FS, kubernetesProvider *kubernetes.Provider) bool {
+func KubernetesPermissions(ctx context.Context, kubernetesProvider *kubernetes.Provider) bool {
 	log.Info().Str("procedure", "kubernetes-permissions").Msg("Checking:")
-
-	var filePath string
-	if config.Config.IsNsRestrictedMode() {
-		filePath = "permissionFiles/permissions-ns-tap.yaml"
-	} else {
-		filePath = "permissionFiles/permissions-all-namespaces-tap.yaml"
-	}
-
-	data, err := embedFS.ReadFile(filePath)
-	if err != nil {
-		log.Error().Err(err).Msg("While checking Kubernetes permissions!")
-		return false
-	}
-
-	decode := scheme.Codecs.UniversalDeserializer().Decode
-	obj, _, err := decode(data, nil, nil)
-	if err != nil {
-		log.Error().Err(err).Msg("While checking Kubernetes permissions!")
-		return false
-	}
-
-	switch resource := obj.(type) {
-	case *rbac.Role:
-		return checkRulesPermissions(ctx, kubernetesProvider, resource.Rules, config.Config.Tap.SelfNamespace)
-	case *rbac.ClusterRole:
-		return checkRulesPermissions(ctx, kubernetesProvider, resource.Rules, "")
-	}
-
-	log.Error().Msg("While checking Kubernetes permissions! Resource of types 'Role' or 'ClusterRole' are not found in permission files.")
-	return false
+	return checkRulesPermissions(ctx, kubernetesProvider, kubernetesProvider.BuildClusterRole().Rules, "")
 }

 func checkRulesPermissions(ctx context.Context, kubernetesProvider *kubernetes.Provider, rules []rbac.PolicyRule, namespace string) bool {
--- a/cmd/checkRunner.go
+++ b/cmd/checkRunner.go
@ -2,7 +2,6 @@ package cmd

 import (
 	"context"
-	"embed"
 	"fmt"
 	"os"

@ -12,11 +11,6 @@ import (
 	"github.com/rs/zerolog/log"
 )

-var (
-	//go:embed permissionFiles
-	embedFS embed.FS
-)
-
 func runCheck() {
 	log.Info().Msg(fmt.Sprintf("Checking the %s resources...", misc.Software))

@ -30,7 +24,7 @@ func runCheck() {
 	}

 	if checkPassed {
-		checkPassed = check.KubernetesPermissions(ctx, embedFS, kubernetesProvider)
+		checkPassed = check.KubernetesPermissions(ctx, kubernetesProvider)
 	}

 	if checkPassed {
--- a/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
+++ b/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
@ -1,25 +0,0 @@
-# This example shows permissions that enrich the logs with additional info
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-clusterrole
-rules:
- apiGroups: ["events.k8s.io"]
-  resources: ["events"]
-  verbs: ["watch"]
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-clusterrolebindings
-subjects:
- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-runner-debug-clusterrole
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
+++ b/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
@ -1,37 +0,0 @@
-# This example shows permissions that are required for Kubeshark to resolve IPs to service names
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-clusterrole
-rules:
- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["get", "create"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterroles"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterrolebindings"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["endpoints"]
-  verbs: ["get", "list", "watch"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-clusterrolebindings
-subjects:
- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-resolver-clusterrole
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
+++ b/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
@ -1,40 +0,0 @@
-# This example shows the permissions that are required in order to run the `kubeshark tap` command
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-clusterrole
-rules:
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["list", "watch", "create"]
- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "create"]
- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs: ["create", "patch"]
- apiGroups: [""]
-  resources: ["namespaces"]
-  verbs: ["list", "watch", "create", "delete"]
- apiGroups: [""]
-  resources: ["services/proxy"]
-  verbs: ["get", "create"]
- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["create"]
- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get"]
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-clusterrolebindings
-subjects:
- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-runner-clusterrole
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-ns-debug-optional.yaml
+++ b/cmd/permissionFiles/permissions-ns-debug-optional.yaml
@ -1,25 +0,0 @@
-# This example shows permissions that enrich the logs with additional info in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-role
-rules:
- apiGroups: ["events.k8s.io"]
-  resources: ["events"]
-  verbs: ["watch"]
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get"]
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-rolebindings
-subjects:
- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-runner-debug-role
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
+++ b/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
@ -1,37 +0,0 @@
-# This example shows permissions that are required for Kubeshark to resolve IPs to service names in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-role
-rules:
- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["roles"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["rolebindings"]
-  verbs: ["get", "list", "create", "delete"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
- apiGroups: ["", "apps", "extensions"]
-  resources: ["endpoints"]
-  verbs: ["get", "list", "watch"]
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-rolebindings
-subjects:
- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-resolver-role
-  apiGroup: rbac.authorization.k8s.io
--- a/cmd/permissionFiles/permissions-ns-tap.yaml
+++ b/cmd/permissionFiles/permissions-ns-tap.yaml
@ -1,37 +0,0 @@
-# This example shows the permissions that are required in order to run the `kubeshark tap` command in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-role
-rules:
- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["list", "watch", "create"]
- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "create", "delete"]
- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs: ["create", "patch", "delete"]
- apiGroups: [""]
-  resources: ["services/proxy"]
-  verbs: ["get", "create", "delete"]
- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["create", "delete"]
- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get"]
---
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-rolebindings
-subjects:
- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-runner-role
-  apiGroup: rbac.authorization.k8s.io