Silence the logging that comes from Basenine and protocol dissectors (#835 )

OAS: use resolved service names (#827 )
* OAS service names to be resolved * fix test
2026-06-09 01:36:52 +00:00 · 2022-02-21 18:08:16 +03:00 · 2022-02-21 17:20:59 +03:00 · 2022-02-21 13:32:48 +02:00 · 2022-02-20 18:10:00 +02:00 · 2022-02-20 14:22:57 +02:00
26 changed files with 177 additions and 682 deletions
--- a/4
+++ b/4
@@ -78,8 +78,8 @@ RUN go build -ldflags="-extldflags=-static -s -w \
    -X 'github.com/up9inc/mizu/agent/pkg/version.Ver=${VER}'" -o mizuagent .
 # Download Basenine executable, verify the sha1sum
-ADD https://github.com/up9inc/basenine/releases/download/v0.4.16/basenine_linux_${GOARCH} ./basenine_linux_${GOARCH}
+ADD https://github.com/up9inc/basenine/releases/download/v0.4.17/basenine_linux_${GOARCH} ./basenine_linux_${GOARCH}
-ADD https://github.com/up9inc/basenine/releases/download/v0.4.16/basenine_linux_${GOARCH}.sha256 ./basenine_linux_${GOARCH}.sha256
+ADD https://github.com/up9inc/basenine/releases/download/v0.4.17/basenine_linux_${GOARCH}.sha256 ./basenine_linux_${GOARCH}.sha256
 RUN shasum -a 256 -c basenine_linux_${GOARCH}.sha256
 RUN chmod +x ./basenine_linux_${GOARCH}
 RUN mv ./basenine_linux_${GOARCH} ./basenine
--- a/acceptanceTests/cypress/integration/tests/Rabbit.js
+++ b/acceptanceTests/cypress/integration/tests/Rabbit.js
@@ -2,7 +2,6 @@ import {checkFilterByMethod, valueTabs,} from "../testHelpers/TrafficHelper";
 it('opening mizu', function () {
    cy.visit(Cypress.env('testUrl'));
    cy.get('#total-entries').invoke('text').should('match', /^[4-7][0-9]$/m)
 });
 const rabbitProtocolDetails = {name: 'AMQP', text: 'Advanced Message Queuing Protocol 0-9-1'};
--- a/acceptanceTests/extensions_test.go
+++ b/acceptanceTests/extensions_test.go
@@ -103,6 +103,7 @@ func TestRedis(t *testing.T) {
 }
 func TestAmqp(t *testing.T) {
 	t.Skip("Invalid test. Not stable")
 	if testing.Short() {
 		t.Skip("ignored acceptance test")
 	}
--- a/agent/go.mod
+++ b/agent/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/ory/kratos-client-go v0.8.2-alpha.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/stretchr/testify v1.7.0
-	github.com/up9inc/basenine/client/go v0.0.0-20220125035757-926e42208705
+	github.com/up9inc/basenine/client/go v0.0.0-20220220204122-0ef8cb24fab1
 	github.com/up9inc/mizu/shared v0.0.0
 	github.com/up9inc/mizu/tap v0.0.0
 	github.com/up9inc/mizu/tap/api v0.0.0
--- a/agent/go.sum
+++ b/agent/go.sum
@@ -853,8 +853,8 @@ github.com/ugorji/go v1.2.6/go.mod h1:anCg0y61KIhDlPZmnH+so+RQbysYVyDko0IMgJv0Nn
 github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/ugorji/go/codec v1.2.6 h1:7kbGefxLoDBuYXOms4yD7223OpNMMPNPZxXk5TvFcyQ=
 github.com/ugorji/go/codec v1.2.6/go.mod h1:V6TCNZ4PHqoHGFZuSG1W8nrCzzdgA2DozYxWFFpvxTw=
-github.com/up9inc/basenine/client/go v0.0.0-20220125035757-926e42208705 h1:5LLhzv0cjb/F+dU0z3j8teVGjQInMYAocTyAZohKUwY=
+github.com/up9inc/basenine/client/go v0.0.0-20220220204122-0ef8cb24fab1 h1:0XN8s3HtwUBr9hbWRAFulFMsu1f2cabfJbwpz/sOoLA=
-github.com/up9inc/basenine/client/go v0.0.0-20220125035757-926e42208705/go.mod h1:SvJGPoa/6erhUQV7kvHBwM/0x5LyO6XaG2lUaCaKiUI=
+github.com/up9inc/basenine/client/go v0.0.0-20220220204122-0ef8cb24fab1/go.mod h1:SvJGPoa/6erhUQV7kvHBwM/0x5LyO6XaG2lUaCaKiUI=
 github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
--- a/agent/pkg/api/main.go
+++ b/agent/pkg/api/main.go
@@ -140,7 +140,17 @@ func startReadingChannel(outputItems <-chan *tapApi.OutputChannelItem, extension
 				mizuEntry.Rules = rules
 			}
-			entryWSource := oas.EntryWithSource{Entry: *harEntry, Source: mizuEntry.Source.Name, Id: mizuEntry.Id}
+			entryWSource := oas.EntryWithSource{
 				Entry:       *harEntry,
 				Source:      mizuEntry.Source.Name,
 				Destination: mizuEntry.Destination.Name,
 				Id:          mizuEntry.Id,
 			}
 			if entryWSource.Destination == "" {
 				entryWSource.Destination = mizuEntry.Destination.IP + ":" + mizuEntry.Destination.Port
 			}
 			oas.GetOasGeneratorInstance().PushEntry(&entryWSource)
 		}
--- a/agent/pkg/app/main.go
+++ b/agent/pkg/app/main.go
@@ -60,10 +60,6 @@ func LoadExtensions() {
 		return Extensions[i].Protocol.Priority < Extensions[j].Protocol.Priority
 	})
 	for _, extension := range Extensions {
 		logger.Log.Infof("Extension Properties: %+v", extension)
 	}
 	controllers.InitExtensionsMap(ExtensionsMap)
 }
--- a/agent/pkg/oas/feeder_test.go
+++ b/agent/pkg/oas/feeder_test.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"io"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
 	"sort"
@@ -139,7 +140,12 @@ func feedEntry(entry *har.Entry, source string, isSync bool, file string) {
 		logger.Log.Debugf("Interesting: %s", entry.Request.URL)
 	}
-	ews := EntryWithSource{Entry: *entry, Source: source, Id: uint(0)}
+	u, err := url.Parse(entry.Request.URL)
 	if err != nil {
 		logger.Log.Errorf("Failed to parse entry URL: %v, err: %v", entry.Request.URL, err)
 	}
 	ews := EntryWithSource{Entry: *entry, Source: source, Destination: u.Host, Id: uint(0)}
 	if isSync {
 		GetOasGeneratorInstance().entriesChan <- ews // blocking variant, right?
 	} else {
--- a/agent/pkg/oas/oas_generator.go
+++ b/agent/pkg/oas/oas_generator.go
@@ -54,11 +54,11 @@ func (g *oasGenerator) runGeneretor() {
 				logger.Log.Errorf("Failed to parse entry URL: %v, err: %v", entry.Request.URL, err)
 			}
-			val, found := g.ServiceSpecs.Load(u.Host)
+			val, found := g.ServiceSpecs.Load(entryWithSource.Destination)
 			var gen *SpecGen
 			if !found {
-				gen = NewGen(u.Scheme + "://" + u.Host)
+				gen = NewGen(u.Scheme + "://" + entryWithSource.Destination)
-				g.ServiceSpecs.Store(u.Host, gen)
+				g.ServiceSpecs.Store(entryWithSource.Destination, gen)
 			} else {
 				gen = val.(*SpecGen)
 			}
@@ -105,9 +105,10 @@ func newOasGenerator() *oasGenerator {
 }
 type EntryWithSource struct {
-	Source string
+	Source      string
-	Entry  har.Entry
+	Destination string
-	Id     uint
+	Entry       har.Entry
 	Id          uint
 }
 type oasGenerator struct {
--- a/cli/README.md.TEMPLATE
+++ b/cli/README.md.TEMPLATE
@@ -10,7 +10,7 @@ curl -Lo mizu https://github.com/up9inc/mizu/releases/download/_VER_/mizu_darwin
 **Mac** (AArch64/Apple M1 silicon)
 ```
-curl -Lo mizu https://github.com/up9inc/mizu/releases/download/_VER_/mizu_darwin_arm64 && chmod 755 mizu
+rm -f mizu && curl -Lo mizu https://github.com/up9inc/mizu/releases/download/_VER_/mizu_darwin_arm64 && chmod 755 mizu
 ```
 **Linux** (x86-64)
--- a/docs/PERMISSIONS.md
+++ b/docs/PERMISSIONS.md
@@ -80,327 +80,9 @@ Notes:
 ## List of permissions
-We broke down this list into few categories:
+The permissions that are required to run Mizu depend on the configuration.
 By default Mizu requires cluster-wide permissions.
 If these are not available to the user, it is possible to run Mizu in namespace-restricted mode which has a reduced set of requirements.
 This is done by by setting the `mizu-resources-namespace` config option. See [configuration](CONFIGURATION.md) for instructions.
- Required - what is needed for `mizu` to run properly on your k8s cluster
+The different requirements are listed in [the example roles dir](../examples/roles)
 - Optional - permissions needed for proper name resolving for service & pod IPs
  - addition required for policy validation
 ### Required permissions
 Mizu needs following permissions on your Kubernetes cluster to run properly
 ```yaml
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
  - delete
 - apiGroups:
  - apps
  resources:
  - daemonsets
  verbs:
  - create
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - services/proxy
  verbs:
  - get
 ```
 #### Permissions required running with install command or (optional) for service / pod name resolving
 Mandatory permissions for running with install command.
 Optional for service/pod name resolving in non install standalone
 ```yaml
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - apps
  resources:
  - daemonsets
  verbs:
  - create
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - services/proxy
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - apps
  - extensions
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - apps
  - extensions
  resources:
  - services
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  - apps
  - extensions
  resources:
  - endpoints
  verbs:
  - get
  - list
  - watch
 ```
 #### Permissions for Policy rules validation feature (opt)
 Optionally, in order to use the policy rules validation feature, Mizu requires the following additional permissions:
 ```yaml
 - apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - create
  - delete
 ```
 - - -
 #### Namespace-Restricted mode
 Alternatively, in order to restrict Mizu to one namespace only (by setting `agent.namespace` in the config file), Mizu needs the following permissions in that namespace:
 ```yaml
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - apps
  resources:
  - daemonsets
  verbs:
  - get
  - create
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - services/proxy
  verbs:
  - get
 ```
 ##### Name resolving in Namespace-Restricted mode (opt)
 To restrict Mizu to one namespace while also resolving IPs, Mizu needs the following permissions in that namespace:
 ```yaml
 - apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - watch
  - create
  - delete
 - apiGroups:
  - apps
  resources:
  - daemonsets
  verbs:
  - get
  - create
  - patch
  - delete
 - apiGroups:
  - ""
  resources:
  - services/proxy
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  verbs:
  - get
  - create
  - delete
 - apiGroups:
  - apps
  - extensions
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - apps
  - extensions
  resources:
  - services
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  - apps
  - extensions
  resources:
  - endpoints
  verbs:
  - get
  - list
  - watch
 ```
--- a/examples/roles/permissions-all-namespaces-daemon.yaml
+++ b/examples/roles/permissions-all-namespaces-daemon.yaml
@@ -1,67 +0,0 @@
 # This example shows the roles required for a user to be able to use Mizu in all namespaces.
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-clusterrole
 rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "delete"]
  - apiGroups: [ "apps" ]
    resources: [ "deployments" ]
    verbs: [ "get", "create", "delete" ]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: ["apps"]
    resources: ["daemonsets"]
    verbs: ["get", "create", "patch", "delete", "list"]
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "create", "delete"]
  - apiGroups: [""]
    resources: ["serviceaccounts"]
    verbs: ["get", "create", "delete"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterroles"]
    verbs: ["get", "create", "delete"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["clusterrolebindings"]
    verbs: ["get", "create", "delete"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles"]
    verbs: ["get", "create", "delete"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["rolebindings"]
    verbs: ["get", "create", "delete"]
  - apiGroups: ["apps", "extensions"]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps", "extensions"]
    resources: ["services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["", "apps", "extensions"]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["events.k8s.io"]
    resources: ["events"]
    verbs: ["list", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-clusterrolebindings
 subjects:
  - kind: User
    name: user1
    apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
  name: mizu-runner-clusterrole
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-all-namespaces-debug-optional.yaml
+++ b/examples/roles/permissions-all-namespaces-debug-optional.yaml
@@ -0,0 +1,25 @@
 # This example shows permissions that enrich the logs with additional info
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-debug-clusterrole
 rules:
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
  verbs: ["watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-debug-clusterrolebindings
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
  name: mizu-runner-debug-clusterrole
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml
+++ b/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml
@@ -0,0 +1,37 @@
 # This example shows permissions that are required for Mizu to resolve IPs to service names
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-resolver-clusterrole
 rules:
 - apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "create"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["get", "list", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterrolebindings"]
  verbs: ["get", "list", "create", "delete"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-resolver-clusterrolebindings
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
  name: mizu-resolver-clusterrole
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-all-namespaces-without-ip-resolution.yaml
+++ b/examples/roles/permissions-all-namespaces-without-ip-resolution.yaml
@@ -1,5 +1,4 @@
-# This example shows the roles required for a user to be able to use Mizu in all namespaces with IP resolution disabled.
+# This example shows the permissions that are required in order to run the `mizu tap` command
 # (Traffic will be recorded, but Mizu will not translate IP addresses to names)
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -7,25 +6,22 @@ metadata:
 rules:
 - apiGroups: [""]
  resources: ["pods"]
-  verbs: ["list", "watch", "create", "delete"]
+  verbs: ["list", "watch", "create"]
 - apiGroups: [""]
  resources: ["services"]
-  verbs: ["create", "delete"]
+  verbs: ["get", "create"]
 - apiGroups: ["apps"]
  resources: ["daemonsets"]
-  verbs: ["create", "patch", "delete"]
+  verbs: ["create", "patch"]
 - apiGroups: [""]
  resources: ["namespaces"]
-  verbs: ["get", "list", "watch", "create", "delete"]
+  verbs: ["list", "watch", "create", "delete"]
 - apiGroups: [""]
  resources: ["services/proxy"]
-  verbs: ["get"]
+  verbs: ["get", "create"]
 - apiGroups: [""]
  resources: ["configmaps"]
-  verbs: ["get", "create", "delete"]
+  verbs: ["create"]
  - apiGroups: ["events.k8s.io"]
    resources: ["events"]
    verbs: ["list", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
--- a/examples/roles/permissions-all-namespaces.yaml
+++ b/examples/roles/permissions-all-namespaces.yaml
@@ -1,64 +0,0 @@
 # This example shows the roles required for a user to be able to use Mizu in all namespaces.
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-clusterrole
 rules:
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["create", "patch", "delete"]
 - apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["get"]
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "create", "delete"]
 - apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterrolebindings"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["apps", "extensions"]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["apps", "extensions"]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
  verbs: ["list", "watch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-clusterrolebindings
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: ClusterRole
  name: mizu-runner-clusterrole
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-ns-daemon.yaml
+++ b/examples/roles/permissions-ns-daemon.yaml
@@ -1,60 +0,0 @@
 # This example shows the roles required for a user to be able to use Mizu in a single namespace.
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-role
  namespace: user1
 rules:
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "delete"]
 - apiGroups: [ "apps" ]
  resources: [ "deployments" ]
  verbs: [ "get", "create", "delete" ]
 - apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "create", "patch", "delete", "list"]
 - apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["get"]
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "create", "delete"]
 - apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["apps", "extensions", ""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["apps", "extensions"]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
  verbs: ["list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-rolebindings
  namespace: user1
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: mizu-runner-role
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-ns-debug-optional.yaml
+++ b/examples/roles/permissions-ns-debug-optional.yaml
@@ -0,0 +1,27 @@
 # This example shows permissions that enrich the logs with additional info in namespace-restricted mode
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-debug-role
  namespace: user1
 rules:
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
  verbs: ["watch"]
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-debug-rolebindings
  namespace: user1
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: mizu-runner-debug-role
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-ns-ip-resolution-optional.yaml
+++ b/examples/roles/permissions-ns-ip-resolution-optional.yaml
@@ -0,0 +1,39 @@
 # This example shows permissions that are required for Mizu to resolve IPs to service names in namespace-restricted mode
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-resolver-role
  namespace: user1
 rules:
 - apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "list", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get", "list", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["get", "list", "create", "delete"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-resolver-rolebindings
  namespace: user1
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: mizu-resolver-role
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-ns-without-ip-resolution.yaml
+++ b/examples/roles/permissions-ns-without-ip-resolution.yaml
@@ -1,4 +1,4 @@
-# This example shows the roles required for a user to be able to use Mizu in a single namespace with IP resolution disabled.
+# This example shows the permissions that are required in order to run the `mizu tap` command in namespace-restricted mode
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -7,22 +7,19 @@ metadata:
 rules:
 - apiGroups: [""]
  resources: ["pods"]
-  verbs: ["get", "list", "watch", "create", "delete"]
+  verbs: ["list", "watch", "create"]
 - apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["apps"]
  resources: ["daemonsets"]
-  verbs: ["get", "create", "patch", "delete"]
+  verbs: ["create", "patch", "delete"]
 - apiGroups: [""]
  resources: ["services/proxy"]
-  verbs: ["get"]
+  verbs: ["get", "create", "delete"]
 - apiGroups: [""]
  resources: ["configmaps"]
-  verbs: ["get", "create", "delete"]
+  verbs: ["create", "delete"]
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
  verbs: ["list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
--- a/examples/roles/permissions-ns-with-validation.yaml
+++ b/examples/roles/permissions-ns-with-validation.yaml
@@ -1,57 +0,0 @@
 # This example shows the roles required for a user to be able to use Mizu in a single namespace.
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-role
  namespace: user1
 rules:
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "create", "patch", "delete"]
 - apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["get"]
 - apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "create", "delete"]
 - apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["apps", "extensions"]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["apps", "extensions"]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
  verbs: ["list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-rolebindings
  namespace: user1
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: mizu-runner-role
  apiGroup: rbac.authorization.k8s.io
--- a/examples/roles/permissions-ns.yaml
+++ b/examples/roles/permissions-ns.yaml
@@ -1,57 +0,0 @@
 # This example shows the roles required for a user to be able to use Mizu in a single namespace.
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-role
  namespace: user1
 rules:
 - apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: [""]
  resources: ["services"]
  verbs: ["get", "list", "watch", "create", "delete"]
 - apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "create", "patch", "delete"]
 - apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["get"]
 - apiGroups: [ "" ]
  resources: [ "configmaps" ]
  verbs: [ "get", "create", "delete" ]
 - apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["get", "create", "delete"]
 - apiGroups: ["apps", "extensions"]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["apps", "extensions"]
  resources: ["services"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["", "apps", "extensions"]
  resources: ["endpoints"]
  verbs: ["get", "list", "watch"]
 - apiGroups: ["events.k8s.io"]
  resources: ["events"]
  verbs: ["list", "watch"]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: mizu-runner-rolebindings
  namespace: user1
 subjects:
 - kind: User
  name: user1
  apiGroup: rbac.authorization.k8s.io
 roleRef:
  kind: Role
  name: mizu-runner-role
  apiGroup: rbac.authorization.k8s.io
--- a/tap/extensions/amqp/main.go
+++ b/tap/extensions/amqp/main.go
@@ -27,10 +27,6 @@ var protocol api.Protocol = api.Protocol{
 	Priority:        1,
 }
 func init() {
 	log.Println("Initializing AMQP extension...")
 }
 type dissecting string
 func (d dissecting) Register(extension *api.Extension) {
--- a/tap/extensions/http/main.go
+++ b/tap/extensions/http/main.go
@@ -76,10 +76,6 @@ const (
 	TypeHttpResponse
 )
 func init() {
 	log.Println("Initializing HTTP extension...")
 }
 type dissecting string
 func (d dissecting) Register(extension *api.Extension) {
--- a/tap/extensions/kafka/main.go
+++ b/tap/extensions/kafka/main.go
@@ -25,10 +25,6 @@ var _protocol api.Protocol = api.Protocol{
 	Priority:        2,
 }
 func init() {
 	log.Println("Initializing Kafka extension...")
 }
 type dissecting string
 func (d dissecting) Register(extension *api.Extension) {
--- a/tap/extensions/redis/main.go
+++ b/tap/extensions/redis/main.go
@@ -24,10 +24,6 @@ var protocol api.Protocol = api.Protocol{
 	Priority:        3,
 }
 func init() {
 	log.Println("Initializing Redis extension...")
 }
 type dissecting string
 func (d dissecting) Register(extension *api.Extension) {
Author	SHA1	Message	Date
M. Mert Yıldıran	cf3106f636	Silence the logging that comes from Basenine and protocol dissectors (#835 )	2022-02-21 18:08:16 +03:00
Andrey Pokhilko	a553a1b683	OAS: use resolved service names (#827 ) * OAS service names to be resolved * fix test	2022-02-21 17:20:59 +03:00
Igor Gov	2a6bbd66e6	Update relase template for Mac M1 executable (#836 ) * Update release template for Mac M1	2022-02-21 13:32:48 +02:00
Adam Kol	5a4baa05ca	rabbit test is skipped temporarily (#833 )	2022-02-20 18:10:00 +02:00
Nimrod Gilboa Markevich	4ec9b9b475	Remove permissions examples for deprecated install process (#832 ) * Remove examples related to the install cmd * Remove install cmd references from docs/PERMISSIONS.md	2022-02-20 14:22:57 +02:00
Nimrod Gilboa Markevich	1e2288b9a8	Update permission examples (#824 ) Reorganize permissions example. Permissions for optional features are separated from those that are mandatory. Revised the list of permissions. Added and removed features to make it fit what Mizu currently requires.	2022-02-20 13:16:15 +02:00
Adam Kol	74f58a88bf	no minimum entries check (#826 ) Co-authored-by: gadotroee <55343099+gadotroee@users.noreply.github.com>	2022-02-19 20:03:23 +02:00