npm - @raishin/vanguard-frontier-agentic - Versions diffs - 1.9.0 → 2.0.1 - Mend

@raishin/vanguard-frontier-agentic 1.9.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1065) hide show

package/tests/integration/rbac-pre-flight/README.md ADDED Viewed

@@ -0,0 +1,160 @@
+# RBAC Pre-flight Integration Tests
+Regression harness for the least-privilege RBAC bindings of all 7 Vanguard
+Kubernetes live-guard agents. The suite creates a real kind cluster, applies
+each guard's `least-privilege-rbac.yaml`, and then asserts every row in the
+`rbac-pre-flight.md` matrices — both the universal must-not-be-yes block and
+each guard's domain-specific checks.
+Running this suite after any change to an RBAC manifest catches privilege
+creep and under-scoping before the change reaches a production cluster.
+---
+## Purpose
+Kubernetes RBAC semantics evolve across minor versions. An RBAC manifest that
+is correctly scoped on 1.28 may silently acquire broader rights on 1.30 if a
+new built-in ClusterRole or defaulting behavior changes. This suite pins the
+expected can-i matrix for every guard so that changes to Kubernetes itself,
+or accidental edits to the manifests, are caught immediately in CI.
+---
+## Requirements
+| Tool   | Minimum version |
+|--------|----------------|
+| kind   | 0.22            |
+| k3d    | 5.6 (alternative to kind) |
+| kubectl | 1.28           |
+| bash   | 4.0+            |
+The tests do not require Docker Desktop — rootless Docker or Podman work as
+long as kind can reach them.
+---
+## Running locally
+```bash
+# Full run: creates a kind cluster, tests all guards, destroys the cluster
+cd tests/integration/rbac-pre-flight
+./run-all.sh
+# Use a specific Kubernetes version (default: v1.30.6)
+KIND_K8S_VERSION=v1.29.10 ./run-all.sh
+# Skip cluster creation and run against your current kubeconfig context
+./run-all.sh --skip-cluster-create
+# Run only one guard
+./run-all.sh --guard=rbac-mutation
+# Combine flags
+./run-all.sh --skip-cluster-create --guard=network-arch
+```
+A timestamped log is always written to `/tmp/rbac-preflight-<timestamp>.log`.
+---
+## Exit codes
+| Code | Meaning |
+|------|---------|
+| 0    | All assertions passed (SKIP rows do not count as failures) |
+| 1    | One or more assertions failed |
+---
+## How CI works
+The GitHub Actions workflow is at `ci/kind-rbac-preflight.yaml`. It triggers
+on any change to:
+- `agents/**/references/least-privilege-rbac.yaml`
+- `skills/**/references/least-privilege-rbac.yaml`
+- `agents/**/references/rbac-pre-flight.md`
+- `skills/**/references/rbac-pre-flight.md`
+- `tests/integration/rbac-pre-flight/**`
+The workflow runs `run-all.sh` in a matrix across four Kubernetes versions
+(1.28, 1.29, 1.30, 1.31) using `fail-fast: false` so all matrix legs
+complete even when one fails. On failure, the log file is uploaded as a
+GitHub Actions artifact.
+---
+## Understanding SKIP rows
+Several domain-specific checks target CRDs that are not installed in a
+vanilla kind cluster:
+| CRD group | Example guard | Pre-install URL |
+|-----------|--------------|-----------------|
+| `gateway.networking.k8s.io` | network-arch | https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml |
+| `cilium.io` | network-policy | https://docs.cilium.io/en/stable/installation/k8s-install-helm/ |
+| `security.istio.io`, `networking.istio.io` | mesh-policy | https://istio.io/latest/docs/setup/install/ |
+| `kyverno.io` | admission-policy | https://kyverno.io/docs/installation/ |
+| `argoproj.io` | argocd-sync | https://argo-cd.readthedocs.io/en/stable/getting_started/ |
+| `velero.io` | velero-restore | https://velero.io/docs/latest/basic-install/ |
+SKIP rows are informational — the binding cannot be checked without the CRD
+present. To validate those rows, pre-apply the CRDs before running the suite:
+```bash
+# Example: test Gateway API rows
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
+./run-all.sh --skip-cluster-create
+```
+---
+## Note on impersonation
+`kubectl auth can-i --as=<serviceaccount>` requires the requesting principal
+to have `impersonate` rights. In a kind cluster where you start as
+cluster-admin this works without additional configuration. The manifests
+themselves grant no impersonation rights to the guard ServiceAccounts.
+If you are running `--skip-cluster-create` against a hardened cluster, ensure
+your kubeconfig principal has `impersonate` on `users`, `groups`, and
+`serviceaccounts`.
+---
+## Adding a new guard
+1. Copy an existing file in `guards/` and rename it.
+2. Update the `SA` variable to the new ServiceAccount name.
+3. Call `run_universal_must_not "$SA"` at the top.
+4. Add domain-specific `assert_can` / `assert_cannot` calls extracted from
+   the guard's `references/rbac-pre-flight.md`.
+5. Call `report_guard "<guard-name>"` at the end.
+6. Register the new guard in `run-all.sh`:
+   - Add an entry to the `GUARD_FN` associative array.
+   - Add the guard name to `GUARD_ORDER`.
+   - Source the new file with `source "$SCRIPT_DIR/guards/<name>.sh"`.
+---
+## File layout
+```
+tests/integration/rbac-pre-flight/
+  README.md                  — this file
+  run-all.sh                 — main entrypoint
+  lib/
+    common.sh                — assert_can / assert_cannot helpers
+  guards/
+    network-arch.sh          — network-architecture-mutation guard
+    network-policy.sh        — network-policy guard
+    mesh-policy.sh           — mesh-policy guard
+    admission-policy.sh      — admission-policy guard
+    argocd-sync.sh           — argocd-sync guard
+    rbac-mutation.sh         — rbac-mutation guard
+    velero-restore.sh        — velero-restore guard
+  ci/
+    kind-rbac-preflight.yaml — GitHub Actions workflow
+```

package/tests/integration/rbac-pre-flight/ci/kind-rbac-preflight.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+name: RBAC Pre-flight Integration Test
+on:
+  push:
+    paths:
+      - 'agents/**/references/least-privilege-rbac.yaml'
+      - 'skills/**/references/least-privilege-rbac.yaml'
+      - 'agents/**/references/rbac-pre-flight.md'
+      - 'skills/**/references/rbac-pre-flight.md'
+      - 'tests/integration/rbac-pre-flight/**'
+  pull_request:
+    paths:
+      - 'agents/**/references/least-privilege-rbac.yaml'
+      - 'skills/**/references/least-privilege-rbac.yaml'
+      - 'agents/**/references/rbac-pre-flight.md'
+      - 'skills/**/references/rbac-pre-flight.md'
+      - 'tests/integration/rbac-pre-flight/**'
+  workflow_dispatch: {}
+jobs:
+  rbac-pre-flight:
+    name: RBAC Pre-flight (${{ matrix.k8s-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        k8s-version: ['v1.28.15', 'v1.29.10', 'v1.30.6', 'v1.31.2']
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install kind
+        uses: helm/kind-action@v1.10.0
+        with:
+          install_only: true
+      - name: Run RBAC pre-flight tests
+        run: |
+          chmod +x tests/integration/rbac-pre-flight/run-all.sh
+          tests/integration/rbac-pre-flight/run-all.sh
+        env:
+          KIND_K8S_VERSION: ${{ matrix.k8s-version }}
+      - name: Upload test results on failure
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: rbac-preflight-results-${{ matrix.k8s-version }}
+          path: /tmp/rbac-preflight-*.log

package/tests/integration/rbac-pre-flight/guards/admission-policy.sh ADDED Viewed

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+# guards/admission-policy.sh — RBAC pre-flight for kubernetes-live-admission-policy-guard-agent
+# Source lib/common.sh before running this file.
+run_guard_admission_policy() {
+  begin_guard "admission-policy"
+  local SA="system:serviceaccount:vanguard-system:vanguard-admission-policy-guard"
+  # -------------------------------------------------------------------------
+  # Universal must-not-be-yes
+  # -------------------------------------------------------------------------
+  run_universal_must_not "$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-not-be-yes
+  # (from agents/kubernetes/kubernetes-live-admission-policy-guard-agent/references/rbac-pre-flight.md)
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-not-be-yes --%b\n' "$_CYAN" "$_RESET"
+  # Webhook configurations — operator install only
+  # Note: create mutatingwebhookconfigurations already covered by universal block;
+  # these additional verbs are domain-specific.
+  assert_cannot patch mutatingwebhookconfigurations.admissionregistration.k8s.io "--as=$SA"
+  assert_cannot patch validatingwebhookconfigurations.admissionregistration.k8s.io "--as=$SA"
+  # Delete on policies — rollback via apply -f baseline
+  # Kyverno CRDs may not exist in vanilla kind
+  assert_cannot_or_skip delete clusterpolicies.kyverno.io "--as=$SA"
+  assert_cannot delete validatingadmissionpolicies.admissionregistration.k8s.io "--as=$SA"
+  # Kyverno control plane (namespace always exists once kyverno is installed;
+  # patch deployments/configmaps check works even if kyverno is absent — returns no)
+  assert_cannot patch deployments -n kyverno "--as=$SA"
+  assert_cannot patch configmaps -n kyverno "--as=$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-be-yes
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-be-yes --%b\n' "$_CYAN" "$_RESET"
+  # Kyverno CRDs — skip not fail if absent
+  assert_can_or_skip create clusterpolicies.kyverno.io "--as=$SA"
+  assert_can_or_skip patch clusterpolicies.kyverno.io "--as=$SA"
+  assert_can_or_skip create policies.kyverno.io --all-namespaces "--as=$SA"
+  assert_can_or_skip create policyexceptions.kyverno.io --all-namespaces "--as=$SA"
+  assert_can_or_skip list clusterpolicies.kyverno.io "--as=$SA"
+  # ValidatingAdmissionPolicy is GA in 1.30+, available in 1.28+ as beta
+  assert_can create validatingadmissionpolicies.admissionregistration.k8s.io "--as=$SA"
+  report_guard "admission-policy"
+}

package/tests/integration/rbac-pre-flight/guards/argocd-sync.sh ADDED Viewed

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+# guards/argocd-sync.sh — RBAC pre-flight for kubernetes-live-argocd-sync-guard-agent
+# Source lib/common.sh before running this file.
+run_guard_argocd_sync() {
+  begin_guard "argocd-sync"
+  local SA="system:serviceaccount:vanguard-system:vanguard-argocd-sync-guard"
+  # -------------------------------------------------------------------------
+  # Universal must-not-be-yes
+  # -------------------------------------------------------------------------
+  run_universal_must_not "$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-not-be-yes
+  # (from agents/kubernetes/kubernetes-live-argocd-sync-guard-agent/references/rbac-pre-flight.md)
+  # All Argo CD CRDs are absent in vanilla kind — use assert_cannot_or_skip.
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-not-be-yes (Argo CD CRDs, SKIP if absent) --%b\n' "$_CYAN" "$_RESET"
+  # Delete on Argo CD resources — rollback via apply -f baseline
+  assert_cannot_or_skip delete applications.argoproj.io --all-namespaces "--as=$SA"
+  assert_cannot_or_skip delete applicationsets.argoproj.io --all-namespaces "--as=$SA"
+  assert_cannot_or_skip delete appprojects.argoproj.io --all-namespaces "--as=$SA"
+  # AppProject and ApplicationSet writes — GitOps-only territory
+  assert_cannot_or_skip create appprojects.argoproj.io -n argocd "--as=$SA"
+  assert_cannot_or_skip patch appprojects.argoproj.io -n argocd "--as=$SA"
+  assert_cannot_or_skip create applicationsets.argoproj.io -n argocd "--as=$SA"
+  assert_cannot_or_skip patch applicationsets.argoproj.io -n argocd "--as=$SA"
+  # Argo CD control plane (standard resources — not CRD-dependent)
+  assert_cannot patch deployments -n argocd "--as=$SA"
+  assert_cannot patch configmaps -n argocd "--as=$SA"
+  assert_cannot get secrets -n argocd "--as=$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-be-yes
+  # Argo CD CRDs — skip not fail if absent
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-be-yes (Argo CD CRDs, SKIP if absent) --%b\n' "$_CYAN" "$_RESET"
+  assert_can_or_skip list applications.argoproj.io -n argocd "--as=$SA"
+  assert_can_or_skip list applicationsets.argoproj.io -n argocd "--as=$SA"
+  assert_can_or_skip list appprojects.argoproj.io -n argocd "--as=$SA"
+  assert_can_or_skip patch applications.argoproj.io -n argocd "--as=$SA"
+  report_guard "argocd-sync"
+}

package/tests/integration/rbac-pre-flight/guards/mesh-policy.sh ADDED Viewed

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+# guards/mesh-policy.sh — RBAC pre-flight for kubernetes-live-mesh-policy-guard-agent
+# Source lib/common.sh before running this file.
+run_guard_mesh_policy() {
+  begin_guard "mesh-policy"
+  local SA="system:serviceaccount:vanguard-system:vanguard-mesh-policy-guard"
+  # -------------------------------------------------------------------------
+  # Universal must-not-be-yes
+  # -------------------------------------------------------------------------
+  run_universal_must_not "$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-not-be-yes
+  # (from agents/kubernetes/kubernetes-live-mesh-policy-guard-agent/references/rbac-pre-flight.md)
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-not-be-yes --%b\n' "$_CYAN" "$_RESET"
+  # Delete on policies — rollback is via apply -f baseline, not delete
+  # Istio CRDs may not exist in vanilla kind
+  assert_cannot_or_skip delete authorizationpolicies.security.istio.io --all-namespaces "--as=$SA"
+  assert_cannot_or_skip delete peerauthentications.security.istio.io --all-namespaces "--as=$SA"
+  # istio-system control plane — core resources always present even without Istio CRDs
+  assert_cannot patch deployments -n istio-system "--as=$SA"
+  assert_cannot patch configmaps -n istio-system "--as=$SA"
+  # Istio Gateway resources — delegated to network-architecture guard
+  assert_cannot_or_skip create gateways.networking.istio.io --all-namespaces "--as=$SA"
+  assert_cannot_or_skip patch gateways.networking.istio.io --all-namespaces "--as=$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-be-yes
+  # Istio CRDs — skip not fail if absent in vanilla kind
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-be-yes (Istio CRDs, SKIP if absent) --%b\n' "$_CYAN" "$_RESET"
+  assert_can_or_skip create authorizationpolicies.security.istio.io --all-namespaces "--as=$SA"
+  assert_can_or_skip patch authorizationpolicies.security.istio.io --all-namespaces "--as=$SA"
+  assert_can_or_skip create peerauthentications.security.istio.io --all-namespaces "--as=$SA"
+  assert_can_or_skip patch peerauthentications.security.istio.io --all-namespaces "--as=$SA"
+  assert_can_or_skip list virtualservices.networking.istio.io --all-namespaces "--as=$SA"
+  assert_can_or_skip list peerauthentications.security.istio.io --all-namespaces "--as=$SA"
+  report_guard "mesh-policy"
+}

package/tests/integration/rbac-pre-flight/guards/network-arch.sh ADDED Viewed

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+# guards/network-arch.sh — RBAC pre-flight for kubernetes-live-network-architecture-mutation-guard
+# Source lib/common.sh before running this file.
+run_guard_network_arch() {
+  begin_guard "network-architecture-mutation"
+  local SA="system:serviceaccount:vanguard-system:vanguard-network-arch-guard"
+  # -------------------------------------------------------------------------
+  # Universal must-not-be-yes
+  # -------------------------------------------------------------------------
+  run_universal_must_not "$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-not-be-yes
+  # (from skills/kubernetes/kubernetes-live-network-architecture-mutation-guard/references/rbac-pre-flight.md)
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-not-be-yes --%b\n' "$_CYAN" "$_RESET"
+  # Namespace destruction
+  assert_cannot delete namespaces/kube-system "--as=$SA"
+  assert_cannot delete namespaces/cilium "--as=$SA"
+  assert_cannot delete namespaces/istio-system "--as=$SA"
+  # kube-system daemonset patches
+  assert_cannot patch daemonsets/cilium -n kube-system "--as=$SA"
+  assert_cannot patch daemonsets/kube-proxy -n kube-system "--as=$SA"
+  # Broad secret access
+  assert_cannot list secrets --all-namespaces "--as=$SA"
+  # Privilege escalation
+  assert_cannot create clusterroles "--as=$SA"
+  assert_cannot escalate roles "--as=$SA"
+  assert_cannot bind roles "--as=$SA"
+  assert_cannot impersonate users "--as=$SA"
+  assert_cannot impersonate groups "--as=$SA"
+  assert_cannot impersonate serviceaccounts "--as=$SA"
+  # Node lifecycle
+  assert_cannot delete nodes "--as=$SA"
+  assert_cannot patch nodes "--as=$SA"
+  assert_cannot update nodes "--as=$SA"
+  assert_cannot create pods/eviction "--as=$SA"
+  assert_cannot get nodes/proxy "--as=$SA"
+  assert_cannot create nodes/proxy "--as=$SA"
+  # Lease objects
+  assert_cannot patch leases.coordination.k8s.io -n kube-node-lease "--as=$SA"
+  # Admission webhook configs (additional verbs beyond universal)
+  assert_cannot patch mutatingwebhookconfigurations.admissionregistration.k8s.io "--as=$SA"
+  assert_cannot patch validatingwebhookconfigurations.admissionregistration.k8s.io "--as=$SA"
+  assert_cannot delete validatingwebhookconfigurations.admissionregistration.k8s.io "--as=$SA"
+  # APIService aggregation
+  assert_cannot patch apiservices.apiregistration.k8s.io "--as=$SA"
+  assert_cannot delete apiservices.apiregistration.k8s.io "--as=$SA"
+  # Pod subresources
+  assert_cannot create pods/proxy --all-namespaces "--as=$SA"
+  assert_cannot create pods/binding --all-namespaces "--as=$SA"
+  # CSR / token minting
+  assert_cannot create certificatesigningrequests.certificates.k8s.io "--as=$SA"
+  # Manual Endpoints / EndpointSlices writes
+  assert_cannot create endpoints --all-namespaces "--as=$SA"
+  assert_cannot patch endpoints --all-namespaces "--as=$SA"
+  assert_cannot create endpointslices.discovery.k8s.io --all-namespaces "--as=$SA"
+  assert_cannot patch endpointslices.discovery.k8s.io --all-namespaces "--as=$SA"
+  # kube-system ConfigMap writes outside the resourceName-locked allowlist
+  assert_cannot patch configmaps/cilium-config -n kube-system "--as=$SA"
+  assert_cannot patch configmaps/kube-proxy -n kube-system "--as=$SA"
+  assert_cannot patch configmaps/kubelet-config -n kube-system "--as=$SA"
+  assert_cannot patch configmaps/cluster-info -n kube-public "--as=$SA"
+  # PriorityClass / IngressClass / StorageClass
+  assert_cannot patch priorityclasses.scheduling.k8s.io "--as=$SA"
+  assert_cannot delete ingressclasses.networking.k8s.io "--as=$SA"
+  assert_cannot patch ingressclasses.networking.k8s.io "--as=$SA"
+  assert_cannot patch storageclasses.storage.k8s.io "--as=$SA"
+  # Finalizer-stripping paths
+  assert_cannot update customresourcedefinitions/finalize "--as=$SA"
+  # resourceName negative tests — same configmap name in wrong namespace
+  assert_cannot patch configmaps/coredns -n default "--as=$SA"
+  assert_cannot patch configmaps/coredns -n kube-public "--as=$SA"
+  assert_cannot patch configmaps/extension-apiserver-authentication -n kube-system "--as=$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-be-yes
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-be-yes --%b\n' "$_CYAN" "$_RESET"
+  assert_can get services --all-namespaces "--as=$SA"
+  assert_can list services --all-namespaces "--as=$SA"
+  assert_can patch services --all-namespaces "--as=$SA"
+  assert_can get endpointslices --all-namespaces "--as=$SA"
+  assert_can get nodes "--as=$SA"
+  assert_can get configmaps -n kube-system "--as=$SA"
+  # CoreDNS Corefile (resourceName-locked — positive side of resourceName test)
+  assert_can patch configmaps/coredns -n kube-system "--as=$SA"
+  assert_can get configmaps/coredns -n kube-system "--as=$SA"
+  # Gateway API resources — CRDs not present in vanilla kind; skip not fail
+  printf '%b  -- Gateway API checks (SKIP if CRDs absent) --%b\n' "$_CYAN" "$_RESET"
+  assert_can_or_skip create gateways.gateway.networking.k8s.io --all-namespaces "--as=$SA"
+  assert_can_or_skip patch gateways.gateway.networking.k8s.io --all-namespaces "--as=$SA"
+  assert_can_or_skip create httproutes.gateway.networking.k8s.io --all-namespaces "--as=$SA"
+  assert_can_or_skip create grpcroutes.gateway.networking.k8s.io --all-namespaces "--as=$SA"
+  assert_can_or_skip create referencegrants.gateway.networking.k8s.io --all-namespaces "--as=$SA"
+  report_guard "network-architecture-mutation"
+}

package/tests/integration/rbac-pre-flight/guards/network-policy.sh ADDED Viewed

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+# guards/network-policy.sh — RBAC pre-flight for kubernetes-live-network-policy-guard-agent
+# Source lib/common.sh before running this file.
+run_guard_network_policy() {
+  begin_guard "network-policy"
+  local SA="system:serviceaccount:vanguard-system:vanguard-network-policy-guard"
+  # -------------------------------------------------------------------------
+  # Universal must-not-be-yes
+  # -------------------------------------------------------------------------
+  run_universal_must_not "$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-not-be-yes
+  # (from agents/kubernetes/kubernetes-live-network-policy-guard-agent/references/rbac-pre-flight.md)
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-not-be-yes --%b\n' "$_CYAN" "$_RESET"
+  # Cluster-wide policy writes — opt-in only; Cilium CRDs may not exist in kind
+  assert_cannot_or_skip create ciliumclusterwidenetworkpolicies.cilium.io "--as=$SA"
+  assert_cannot_or_skip patch ciliumclusterwidenetworkpolicies.cilium.io "--as=$SA"
+  assert_cannot_or_skip delete ciliumclusterwidenetworkpolicies.cilium.io "--as=$SA"
+  # Delete on namespaced policies — rollback is via apply -f baseline, not delete
+  assert_cannot_or_skip delete ciliumnetworkpolicies.cilium.io --all-namespaces "--as=$SA"
+  assert_cannot delete networkpolicies.networking.k8s.io --all-namespaces "--as=$SA"
+  # Cilium agent ConfigMap
+  assert_cannot patch configmaps/cilium-config -n kube-system "--as=$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-be-yes
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-be-yes --%b\n' "$_CYAN" "$_RESET"
+  # Cilium CRDs — skip not fail if CRDs absent
+  assert_can_or_skip create ciliumnetworkpolicies.cilium.io --all-namespaces "--as=$SA"
+  assert_can_or_skip patch ciliumnetworkpolicies.cilium.io --all-namespaces "--as=$SA"
+  assert_can_or_skip create ciliumegressgatewaypolicies.cilium.io --all-namespaces "--as=$SA"
+  assert_can_or_skip list ciliumnetworkpolicies.cilium.io --all-namespaces "--as=$SA"
+  assert_can_or_skip list ciliumendpoints.cilium.io --all-namespaces "--as=$SA"
+  # Core NetworkPolicy (always present)
+  assert_can create networkpolicies.networking.k8s.io --all-namespaces "--as=$SA"
+  report_guard "network-policy"
+}

package/tests/integration/rbac-pre-flight/guards/rbac-mutation.sh ADDED Viewed

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# guards/rbac-mutation.sh — RBAC pre-flight for kubernetes-live-rbac-mutation-guard-agent
+# Source lib/common.sh before running this file.
+run_guard_rbac_mutation() {
+  begin_guard "rbac-mutation"
+  local SA="system:serviceaccount:vanguard-system:vanguard-rbac-mutation-guard"
+  # -------------------------------------------------------------------------
+  # Universal must-not-be-yes
+  # -------------------------------------------------------------------------
+  run_universal_must_not "$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-not-be-yes
+  # (from agents/kubernetes/kubernetes-live-rbac-mutation-guard-agent/references/rbac-pre-flight.md)
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-not-be-yes --%b\n' "$_CYAN" "$_RESET"
+  # Cluster-scoped RBAC writes — opt-in only; default refusal
+  assert_cannot create clusterroles.rbac.authorization.k8s.io "--as=$SA"
+  assert_cannot create clusterrolebindings.rbac.authorization.k8s.io "--as=$SA"
+  assert_cannot patch clusterroles.rbac.authorization.k8s.io "--as=$SA"
+  assert_cannot patch clusterrolebindings.rbac.authorization.k8s.io "--as=$SA"
+  # Privilege-escalation primitives
+  assert_cannot escalate roles.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_cannot bind roles.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_cannot escalate clusterroles.rbac.authorization.k8s.io "--as=$SA"
+  assert_cannot bind clusterroles.rbac.authorization.k8s.io "--as=$SA"
+  assert_cannot impersonate users "--as=$SA"
+  assert_cannot impersonate groups "--as=$SA"
+  assert_cannot impersonate serviceaccounts --all-namespaces "--as=$SA"
+  # Delete — rollback is via apply -f baseline
+  assert_cannot delete roles.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_cannot delete rolebindings.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  # ServiceAccount creation (separate from RBAC; could be used to create a privileged SA)
+  assert_cannot create serviceaccounts --all-namespaces "--as=$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-be-yes
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-be-yes --%b\n' "$_CYAN" "$_RESET"
+  assert_can create roles.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_can patch roles.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_can create rolebindings.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_can patch rolebindings.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_can list rolebindings.rbac.authorization.k8s.io --all-namespaces "--as=$SA"
+  assert_can list serviceaccounts --all-namespaces "--as=$SA"
+  report_guard "rbac-mutation"
+}

package/tests/integration/rbac-pre-flight/guards/velero-restore.sh ADDED Viewed

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# guards/velero-restore.sh — RBAC pre-flight for kubernetes-live-velero-restore-guard-agent
+# Source lib/common.sh before running this file.
+run_guard_velero_restore() {
+  begin_guard "velero-restore"
+  local SA="system:serviceaccount:vanguard-system:vanguard-velero-restore-guard"
+  # -------------------------------------------------------------------------
+  # Universal must-not-be-yes
+  # -------------------------------------------------------------------------
+  run_universal_must_not "$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-not-be-yes
+  # (from agents/kubernetes/kubernetes-live-velero-restore-guard-agent/references/rbac-pre-flight.md)
+  # All Velero CRDs are absent in vanilla kind — use assert_cannot_or_skip.
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-not-be-yes (Velero CRDs, SKIP if absent) --%b\n' "$_CYAN" "$_RESET"
+  # Schedule writes — operator install only
+  assert_cannot_or_skip create schedules.velero.io -n velero "--as=$SA"
+  assert_cannot_or_skip patch schedules.velero.io -n velero "--as=$SA"
+  assert_cannot_or_skip delete schedules.velero.io -n velero "--as=$SA"
+  # BackupStorageLocation writes — security-critical (s3 credentials)
+  assert_cannot_or_skip patch backupstoragelocations.velero.io -n velero "--as=$SA"
+  assert_cannot_or_skip delete backupstoragelocations.velero.io -n velero "--as=$SA"
+  # Backup deletion — rollback option loss
+  assert_cannot_or_skip delete backups.velero.io -n velero "--as=$SA"
+  assert_cannot_or_skip patch backups.velero.io -n velero "--as=$SA"
+  # Velero control plane (standard resources — not CRD-dependent)
+  assert_cannot patch deployments -n velero "--as=$SA"
+  assert_cannot get secrets -n velero "--as=$SA"
+  # -------------------------------------------------------------------------
+  # Domain-specific must-be-yes
+  # Velero CRDs — skip not fail if absent
+  # -------------------------------------------------------------------------
+  printf '%b  -- domain-specific must-be-yes (Velero CRDs, SKIP if absent) --%b\n' "$_CYAN" "$_RESET"
+  assert_can_or_skip create restores.velero.io -n velero "--as=$SA"
+  assert_can_or_skip create backups.velero.io -n velero "--as=$SA"
+  assert_can_or_skip list backups.velero.io -n velero "--as=$SA"
+  assert_can_or_skip list backupstoragelocations.velero.io -n velero "--as=$SA"
+  assert_can_or_skip list restores.velero.io -n velero "--as=$SA"
+  report_guard "velero-restore"
+}