feat(KONFLUX-9093): Add tool for validating role RBAC

In KONFLUX-9093, there is a request to enable roles to be cerated in
namespaces via Argo. In order to allow this, we need to be able to
guarantee that the roles are not granting permissions that users would
normally not have (but which Argo would have). We can use k8s tooling to
ensure that permissions are not exceeding some reference roles.

Co-Authored-By: Claude <[email protected]>
Signed-off-by: arewm <[email protected]>

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Author: arewm

.gitignore

@@ -0,0 +1,2 @@
+tools/rbac-validator
+*/venv

.tekton/ci-checks.yaml

@@ -0,0 +1,140 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: ci-checks
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/categories: CI
+    tekton.dev/tags: ci,golang,rbac,validation
+    tekton.dev/displayName: "CI Checks"
+    tekton.dev/platforms: "linux/amd64,linux/arm64"
+spec:
+  description: >-
+    This task runs CI checks for the RBAC validator tool including format checking,
+    linting, testing, and build verification. It uses the trusted artifact pattern
+    to retrieve source code.
+  params:
+    - name: SOURCE_ARTIFACT
+      description: The Trusted Artifact URI pointing to the application source code
+      type: string
+    - name: WORKING_DIR
+      description: Working directory for the CI checks
+      type: string
+      default: "tools"
+    - name: GO_VERSION
+      description: Go version to use for building and testing
+      type: string
+      default: "1.22"
+  results:
+    - name: TEST_OUTPUT
+      description: Output from the test execution
+    - name: BUILD_STATUS
+      description: Status of the build process
+  volumes:
+    - name: workdir
+      emptyDir: {}
+  stepTemplate:
+    volumeMounts:
+      - mountPath: /var/workdir
+        name: workdir
+  steps:
+    - name: use-trusted-artifact
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d
+      args:
+        - use
+        - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+      volumeMounts:
+        - mountPath: /var/workdir
+          name: workdir
+    
+    - name: ci-checks
+      image: registry.access.redhat.com/ubi9/go-toolset:1.24.4-1754467841@sha256:3f552f246b4bd5bdfb4da0812085d381d00d3625769baecaed58c2667d344e5c
+      workingDir: /var/workdir/source/$(params.WORKING_DIR)
+      env:
+        - name: GOCACHE
+          value: /var/workdir/.cache/go-build
+        - name: GOMODCACHE
+          value: /var/workdir/.cache/go-mod
+        - name: CGO_ENABLED
+          value: "0"
+      script: |
+        #!/bin/bash
+        set -uo pipefail
+        
+        # Track overall success
+        OVERALL_SUCCESS=true
+        
+        echo "=== Starting CI checks for RBAC validator ==="
+        # Ensure we're in the tools directory
+        if [[ ! -f "rbac-validator.go" ]]; then
+          echo "Error: rbac-validator.go not found in current directory"
+          echo "Current directory contents:"
+          ls -la
+          exit 1
+        fi
+        
+        # Create cache directories
+        mkdir -p /var/workdir/.cache/go-build /var/workdir/.cache/go-mod
+        
+        echo "=== Installing golangci-lint ==="
+        export PATH=$PATH:$(go env GOPATH)/bin
+        go install github.com/golangci/golangci-lint/cmd/[email protected]
+        
+        echo "=== Running format check ==="
+        if [ -n "$(gofmt -l .)" ]; then
+          echo "Code is not formatted. Files needing formatting:"
+          gofmt -l .
+          echo "FAIL: Code formatting check failed"
+          exit 1
+        fi
+        echo "PASS: Code formatting check"
+        
+        echo "=== Running golangci-lint ==="
+        export PATH=$PATH:$(go env GOPATH)/bin
+        if golangci-lint run --build-tags="" --max-issues-per-linter=0 --max-same-issues=0; then
+          echo "PASS: Linting check"
+        else
+          echo "FAIL: Linting check"
+          OVERALL_SUCCESS=false
+        fi
+        
+        echo "=== Building binary ==="
+        if go build -o rbac-validator rbac-validator.go; then
+          echo "PASS: Binary build"
+        else
+          echo "FAIL: Binary build"
+          OVERALL_SUCCESS=false
+        fi
+        
+        echo "=== Running tests ==="
+        if go test -v ./... | tee /var/workdir/test-output.txt; then
+          echo "PASS: All tests"
+        else
+          echo "FAIL: All tests"
+          OVERALL_SUCCESS=false
+        fi
+        
+        echo "=== Running testdata validation tests ==="
+        if go test -v -run "TestAllowedRoles|TestDeniedRoles|TestBinaryWithTestData|TestTestDataCompleteness"; then
+          echo "PASS: Testdata validation"
+        else
+          echo "FAIL: Testdata validation"
+          OVERALL_SUCCESS=false
+        fi
+        
+        
+        if [ "$OVERALL_SUCCESS" = "true" ]; then
+          echo "=== All CI checks completed successfully ==="
+        else
+          echo "=== CI checks completed with failures ==="
+          exit 1
+        fi
+      volumeMounts:
+        - mountPath: /var/workdir
+          name: workdir
+      # git clone is made as user 0, so we need to be this user too because
+      # the trusted artifacts are restored as this user as well.
+      securityContext:
+        runAsUser: 0

.tekton/konflux-release-data-ci-worker-pull-request.yaml

@@ -10,9 +10,15 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "3"
     pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && 
       ( ".tekton/konflux-release-data-ci-worker-pull-request.yaml".pathChanged() || 
+      ".tekton/ci-checks.yaml".pathChanged() ||
       "Containerfile".pathChanged() || 
       "rpms.lock.yaml".pathChanged() || 
-      "requirements.txt".pathChanged() )
+      "requirements.txt".pathChanged() ||
+      "tools/rbac-validator.go".pathChanged() ||
+      "tools/rbac-validator_test.go".pathChanged() ||
+      "tools/Makefile".pathChanged() ||
+      "tools/.golangci.yml".pathChanged() ||
+      "tools/testdata/**".pathChanged() )
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: konflux-release-data-ci
@@ -38,7 +44,7 @@ spec:
   - name: path-context
     value: .
   - name: prefetch-input
-    value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}]}'
+    value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}, {"type": "gomod", "path": "tools"}]}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -214,6 +220,22 @@ spec:
         workspace: git-auth
       - name: netrc
         workspace: netrc
+    - name: ci-checks
+      params:
+      - name: SOURCE_ARTIFACT
+        value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+      - name: WORKING_DIR
+        value: "tools"
+      runAfter:
+      - prefetch-dependencies
+      taskRef:
+        kind: Task
+        name: ci-checks
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
     - matrix:
         params:
         - name: PLATFORM

.tekton/konflux-release-data-ci-worker-push.yaml

@@ -9,9 +9,15 @@ metadata:
     pipelinesascode.tekton.dev/max-keep-runs: "3"
     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" &&
       ( ".tekton/konflux-release-data-ci-worker-push.yaml".pathChanged() || 
+      ".tekton/ci-checks.yaml".pathChanged() ||
       "Containerfile".pathChanged() || 
       "rpms.lock.yaml".pathChanged() || 
-      "requirements.txt".pathChanged() )
+      "requirements.txt".pathChanged() ||
+      "tools/rbac-validator.go".pathChanged() ||
+      "tools/rbac-validator_test.go".pathChanged() ||
+      "tools/Makefile".pathChanged() ||
+      "tools/.golangci.yml".pathChanged() ||
+      "tools/testdata/**".pathChanged() )
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: konflux-release-data-ci
@@ -35,7 +41,7 @@ spec:
   - name: path-context
     value: .
   - name: prefetch-input
-    value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}]}'
+    value: '{"packages": [{"type": "pip", "path": "."}, {"type": "rpm", "path": "."}, {"type": "gomod", "path": "tools"}]}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -211,6 +217,22 @@ spec:
         workspace: git-auth
       - name: netrc
         workspace: netrc
+    - name: ci-checks
+      params:
+      - name: SOURCE_ARTIFACT
+        value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+      - name: WORKING_DIR
+        value: "tools"
+      runAfter:
+      - prefetch-dependencies
+      taskRef:
+        kind: Task
+        name: ci-checks
+      when:
+      - input: $(tasks.init.results.build)
+        operator: in
+        values:
+        - "true"
     - matrix:
         params:
         - name: PLATFORM

Containerfile

@@ -1,10 +1,24 @@
 FROM quay.io/konflux-ci/yq@sha256:15d0238843d954ee78c9c190705eb8b36f6e52c31434183c37d99a80841a635a as yq
 FROM registry.redhat.io/openshift4/ose-cli-artifacts-rhel9:v4.17.0-202504091537.p0.g0000b3e.assembly.stream.el9 as oc
 
+# Build stage for RBAC validator
+FROM registry.access.redhat.com/ubi9/go-toolset:1.24.4-1754467841@sha256:3f552f246b4bd5bdfb4da0812085d381d00d3625769baecaed58c2667d344e5c as go-builder
+
+# Copy tools directory and build the binary
+COPY --chown=default tools/ /workspace/tools/
+WORKDIR /workspace/tools
+RUN go mod download && \
+    go build -o rbac-validator rbac-validator.go
+
+# Main stage
 FROM registry.access.redhat.com/ubi9/ubi:latest@sha256:8851294389a8641bd6efcd60f615c69e54fb0e2216ec8259448b35e3d9a11b06
 
 COPY --from=yq /usr/bin/yq /usr/bin/yq
 COPY --from=oc /usr/bin/oc /usr/bin/oc
+COPY --from=go-builder /workspace/tools/rbac-validator /usr/local/bin/rbac-validator
+
+# Ensure the binary is executable
+RUN chmod +x /usr/local/bin/rbac-validator
 
 RUN dnf -y install git \
     ruby \
@@ -20,7 +34,6 @@ COPY requirements.txt ./
 
 RUN pip3 install -r requirements.txt
 
-
 # Because Cachi2 doesn't support ruby, we've got to gem install it for now
 # Can look into building it from source later, although without prefetch
 # not much more secure

README.md

@@ -1,10 +1,106 @@
 # konflux-release-data-ci
-Config for building CI worker image for konflux-release-data repo
+
+Config for building CI worker image for konflux-release-data repo, including RBAC validation tools.
+
+## Overview
+
+This repository provides:
+- CI worker image configuration for the konflux-release-data repository
+- RBAC validation tools using Kubernetes' official validation library
+- Development tooling for RBAC policy verification
+
+## RBAC Validator Tool
+
+The `tools/` directory contains a Go-based RBAC validator that uses Kubernetes' official validation logic to verify RBAC policy subsets.
+
+### Purpose
+
+The RBAC validator ensures that user-defined roles and permissions are proper subsets of reference roles, preventing privilege escalation in Konflux tenants. It validates that:
+
+- User roles don't exceed the permissions granted by reference roles
+- APIGroups, Resources, Verbs, and ResourceNames are properly constrained
+- Multi-rule policies are comprehensively validated
+
+### Components
+
+#### `tools/rbac-validator.go`
+Main Go binary that:
+- Accepts JSON input with user rules and reference rules
+- Uses `k8s.io/component-helpers/auth/rbac/validation.Covers()` for authoritative validation
+- Returns JSON output indicating whether user rules are covered by reference rules
+- Handles errors gracefully with structured error responses
+
+#### `tools/rbac-validator_test.go`
+Comprehensive test suite with:
+- **Edge case validation**: APIGroups overlap, subresources, resourceNames constraints
+- **Real-world Konflux scenarios**: contributor vs admin roles, release pipeline permissions
+- **Binary integration tests**: End-to-end validation of JSON input/output
+- **Error handling tests**: Invalid JSON and malformed input validation
+
+#### `tools/Makefile`
+Development workflow automation:
+```bash
+make build      # Build the binary
+make test       # Run all tests
+make fmt        # Format Go code
+make lint       # Run golangci-lint
+make check-fmt  # Verify code formatting
+make ci         # Run full CI pipeline (format check, lint, test, build)
+```
+
+#### `tools/.golangci.yml`
+Linting configuration with security and code quality checks.
+
+### Integration
+
+The validator is integrated into the CI container and used by tenant validation scripts:
+
+1. **CI Container**: Binary is pre-built during container image creation
+2. **Smart Discovery**: Python scripts automatically find the binary via:
+   - PATH lookup for CI environments
+   - Local repository build for development
+   - On-demand compilation as fallback
+3. **Tenant Validation**: Used by `tenants-config/tests/` for validating production and staging tenant roles
+
+### Development Workflow
+
+#### Local Development
+```bash
+cd tools/
+make install-tools  # Install golangci-lint
+make ci            # Run full validation pipeline
+```
+
+#### Adding Test Cases
+Test cases should cover:
+- Real Konflux role scenarios from infra-deployments
+- Edge cases for RBAC validation behavior
+- Error conditions and malformed input
+
+#### Binary Usage
+```bash
+echo '{"userRules": [...], "referenceRules": [...]}' | ./rbac-validator
+```
+
+### Dependencies
+
+- Go 1.22+
+- `k8s.io/api` v0.30.0
+- `k8s.io/component-helpers` v0.30.0
+- golangci-lint (for development)
+
+## CI Worker Image
+
+The main CI worker image includes:
+- Python environment with tox support
+- Go toolchain for RBAC validator
+- Pre-built RBAC validator binary
+- Development tools and dependencies
 
 ## TODO - Need
 * Fix SBOM issues related to the ruby gem install
 * Ensure existing CI tests can run in this image
-* Try running mkdocs CI jobs and update image as necssesary
+* Try running mkdocs CI jobs and update image as necessary
 
 ## TODO - Should Do
 * Convert to UBI

rpms.in.yaml

@@ -12,6 +12,7 @@ packages:
   - python3-pip
   - diffutils
   - krb5-devel
+  - golang
 
 arches:
   - x86_64