From e65656c1df95a80ee350fbe4b43de2a77f67ffee Mon Sep 17 00:00:00 2001
From: "M. Mert Yildiran" <me@mertyildiran.com>
Date: Thu, 20 Apr 2023 03:52:15 +0300
Subject: [PATCH] :fire: Delete `permissionFiles` folder

---
 cmd/check/kubernetesPermissions.go            | 36 +----------------
 cmd/checkRunner.go                            |  8 +---
 ...issions-all-namespaces-debug-optional.yaml | 25 ------------
 ...all-namespaces-ip-resolution-optional.yaml | 37 -----------------
 .../permissions-all-namespaces-tap.yaml       | 40 -------------------
 .../permissions-ns-debug-optional.yaml        | 25 ------------
 ...permissions-ns-ip-resolution-optional.yaml | 37 -----------------
 cmd/permissionFiles/permissions-ns-tap.yaml   | 37 -----------------
 8 files changed, 3 insertions(+), 242 deletions(-)
 delete mode 100644 cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
 delete mode 100644 cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
 delete mode 100644 cmd/permissionFiles/permissions-all-namespaces-tap.yaml
 delete mode 100644 cmd/permissionFiles/permissions-ns-debug-optional.yaml
 delete mode 100644 cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
 delete mode 100644 cmd/permissionFiles/permissions-ns-tap.yaml

diff --git a/cmd/check/kubernetesPermissions.go b/cmd/check/kubernetesPermissions.go
index e1a280590..40ab1f37d 100644
--- a/cmd/check/kubernetesPermissions.go
+++ b/cmd/check/kubernetesPermissions.go
@@ -2,48 +2,16 @@ package check
 
 import (
 	"context"
-	"embed"
 	"fmt"
 
-	"github.com/kubeshark/kubeshark/config"
 	"github.com/kubeshark/kubeshark/kubernetes"
 	"github.com/rs/zerolog/log"
 	rbac "k8s.io/api/rbac/v1"
-	"k8s.io/client-go/kubernetes/scheme"
 )
 
-func KubernetesPermissions(ctx context.Context, embedFS embed.FS, kubernetesProvider *kubernetes.Provider) bool {
+func KubernetesPermissions(ctx context.Context, kubernetesProvider *kubernetes.Provider) bool {
 	log.Info().Str("procedure", "kubernetes-permissions").Msg("Checking:")
-
-	var filePath string
-	if config.Config.IsNsRestrictedMode() {
-		filePath = "permissionFiles/permissions-ns-tap.yaml"
-	} else {
-		filePath = "permissionFiles/permissions-all-namespaces-tap.yaml"
-	}
-
-	data, err := embedFS.ReadFile(filePath)
-	if err != nil {
-		log.Error().Err(err).Msg("While checking Kubernetes permissions!")
-		return false
-	}
-
-	decode := scheme.Codecs.UniversalDeserializer().Decode
-	obj, _, err := decode(data, nil, nil)
-	if err != nil {
-		log.Error().Err(err).Msg("While checking Kubernetes permissions!")
-		return false
-	}
-
-	switch resource := obj.(type) {
-	case *rbac.Role:
-		return checkRulesPermissions(ctx, kubernetesProvider, resource.Rules, config.Config.Tap.SelfNamespace)
-	case *rbac.ClusterRole:
-		return checkRulesPermissions(ctx, kubernetesProvider, resource.Rules, "")
-	}
-
-	log.Error().Msg("While checking Kubernetes permissions! Resource of types 'Role' or 'ClusterRole' are not found in permission files.")
-	return false
+	return checkRulesPermissions(ctx, kubernetesProvider, kubernetesProvider.BuildClusterRole().Rules, "")
 }
 
 func checkRulesPermissions(ctx context.Context, kubernetesProvider *kubernetes.Provider, rules []rbac.PolicyRule, namespace string) bool {
diff --git a/cmd/checkRunner.go b/cmd/checkRunner.go
index c761a1ef5..8dedf6668 100644
--- a/cmd/checkRunner.go
+++ b/cmd/checkRunner.go
@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"context"
-	"embed"
 	"fmt"
 	"os"
 
@@ -12,11 +11,6 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
-var (
-	//go:embed permissionFiles
-	embedFS embed.FS
-)
-
 func runCheck() {
 	log.Info().Msg(fmt.Sprintf("Checking the %s resources...", misc.Software))
 
@@ -30,7 +24,7 @@ func runCheck() {
 	}
 
 	if checkPassed {
-		checkPassed = check.KubernetesPermissions(ctx, embedFS, kubernetesProvider)
+		checkPassed = check.KubernetesPermissions(ctx, kubernetesProvider)
 	}
 
 	if checkPassed {
diff --git a/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml b/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
deleted file mode 100644
index 02540a150..000000000
--- a/cmd/permissionFiles/permissions-all-namespaces-debug-optional.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# This example shows permissions that enrich the logs with additional info
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-clusterrole
-rules:
-- apiGroups: ["events.k8s.io"]
-  resources: ["events"]
-  verbs: ["watch"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-clusterrolebindings
-subjects:
-- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-runner-debug-clusterrole
-  apiGroup: rbac.authorization.k8s.io
diff --git a/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml b/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
deleted file mode 100644
index 1f9b654fa..000000000
--- a/cmd/permissionFiles/permissions-all-namespaces-ip-resolution-optional.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-# This example shows permissions that are required for Kubeshark to resolve IPs to service names
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-clusterrole
-rules:
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["get", "create"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterroles"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["clusterrolebindings"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: ["", "apps", "extensions"]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["", "apps", "extensions"]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["", "apps", "extensions"]
-  resources: ["endpoints"]
-  verbs: ["get", "list", "watch"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-clusterrolebindings
-subjects:
-- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-resolver-clusterrole
-  apiGroup: rbac.authorization.k8s.io
diff --git a/cmd/permissionFiles/permissions-all-namespaces-tap.yaml b/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
deleted file mode 100644
index af6464dce..000000000
--- a/cmd/permissionFiles/permissions-all-namespaces-tap.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-# This example shows the permissions that are required in order to run the `kubeshark tap` command
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-clusterrole
-rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["list", "watch", "create"]
-- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "create"]
-- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs: ["create", "patch"]
-- apiGroups: [""]
-  resources: ["namespaces"]
-  verbs: ["list", "watch", "create", "delete"]
-- apiGroups: [""]
-  resources: ["services/proxy"]
-  verbs: ["get", "create"]
-- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["create"]
-- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-clusterrolebindings
-subjects:
-- kind: User
-  name: user-with-clusterwide-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: ClusterRole
-  name: kubeshark-runner-clusterrole
-  apiGroup: rbac.authorization.k8s.io
diff --git a/cmd/permissionFiles/permissions-ns-debug-optional.yaml b/cmd/permissionFiles/permissions-ns-debug-optional.yaml
deleted file mode 100644
index e634fad50..000000000
--- a/cmd/permissionFiles/permissions-ns-debug-optional.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-# This example shows permissions that enrich the logs with additional info in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-role
-rules:
-- apiGroups: ["events.k8s.io"]
-  resources: ["events"]
-  verbs: ["watch"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-debug-rolebindings
-subjects:
-- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-runner-debug-role
-  apiGroup: rbac.authorization.k8s.io
diff --git a/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml b/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
deleted file mode 100644
index 2fee82bca..000000000
--- a/cmd/permissionFiles/permissions-ns-ip-resolution-optional.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-# This example shows permissions that are required for Kubeshark to resolve IPs to service names in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-role
-rules:
-- apiGroups: [""]
-  resources: ["serviceaccounts"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["roles"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: ["rbac.authorization.k8s.io"]
-  resources: ["rolebindings"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: ["", "apps", "extensions"]
-  resources: ["pods"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["", "apps", "extensions"]
-  resources: ["services"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["", "apps", "extensions"]
-  resources: ["endpoints"]
-  verbs: ["get", "list", "watch"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-resolver-rolebindings
-subjects:
-- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-resolver-role
-  apiGroup: rbac.authorization.k8s.io
diff --git a/cmd/permissionFiles/permissions-ns-tap.yaml b/cmd/permissionFiles/permissions-ns-tap.yaml
deleted file mode 100644
index 26f939fe9..000000000
--- a/cmd/permissionFiles/permissions-ns-tap.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-# This example shows the permissions that are required in order to run the `kubeshark tap` command in namespace-restricted mode
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-role
-rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["list", "watch", "create"]
-- apiGroups: [""]
-  resources: ["services"]
-  verbs: ["get", "create", "delete"]
-- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs: ["create", "patch", "delete"]
-- apiGroups: [""]
-  resources: ["services/proxy"]
-  verbs: ["get", "create", "delete"]
-- apiGroups: [""]
-  resources: ["configmaps"]
-  verbs: ["create", "delete"]
-- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: kubeshark-runner-rolebindings
-subjects:
-- kind: User
-  name: user-with-restricted-access
-  apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: kubeshark-runner-role
-  apiGroup: rbac.authorization.k8s.io