Tested with Everest v1.2.0-rc8 version

Valid policy file

Add read only roles in policy file

Invalid line

Invalid role

Invalid line

Invalid permission monitoring-instance

Invalid Access - read-write

Note: Validation passed, the validate command does not give error for invalid access.

Checking the can command with policy file

If config map has

then

The panic comes from the RBAC library we’re using and unfortunately it lacks proper error handling, so I need to manually add checks for such cases.

however though, I think it is correct for Everest server to panic in such cases. You may have noticed that with other types of syntax error, it doesn’t panic, but I think it should. Otherwise the user can enter an incorrect policy and have no idea about it - this can have some security implications. I will fix it so that Everest panics on syntax errors, and shows proper error messages in the panic

Thanks Mayank, I looked at ArgoCD implementation and their validate command can parse the config map in yaml format. This might be easier for users to validate the yaml file and then apply it directly in kubernetes, maybe we can improve it in the next release.

I changed this line in policy.csv

The validate command gives this error

If this is changed in the config map, then the everest operator crashes

Hey

When you pass --policy-file, it should not be a Kubernetes YAML. It needs to be a CSV file containing the core RBAC configuration.

Here’s an example:

(please also see the examples in the original description, I’ve passed the CSV file directly)

Hi , The validate command works for the default ConfigMap policy

But if we get the same ConfigMap policy in yaml, then the validate command gives an error