docs: RBAC and check namespace (#192)

* docs: RBAC and check namespace

* chore: remove old references

* cleanup

* add relationships docs to alert manager & move namespace to alertmanager

* refactor: security

canary-checker/docs/reference/1-alert-manager.mdx

@@ -47,7 +47,11 @@ spec:
     description: "A list of alert prefix names to include",
     scheme: '[]string'
   },
-
+  {
+    field: "relationships",
+    description: "Link the check results to components and configs using lookup expressions.",
+    scheme: '[Relationships](#relationships)'
+  },
   {
     field: "ignore",
     description: "A list of alert prefix names to exclude",
@@ -58,6 +62,104 @@ spec:
     description: "A map of label to value prefixes to find alerts on",
     scheme: "map[string]string"
   }
-
 ]}/>
 
+## Relationships
+
+<Fields
+  rows={[
+    {
+      field: 'config',
+      description: 'Select all the configs to link to this check',
+      scheme: '[Lookup](#lookup)'
+    },
+    {
+      field: 'components',
+      description: 'Select all the components to link to this check',
+      scheme: '[Lookup](#lookup)'
+    }
+  ]}
+/>
+
+### Lookup
+
+<Fields
+  rows={[
+    {
+      field: 'name',
+      description: 'Initial delay before the checks are run',
+      scheme: '[Lookup Selector](#lookup-selector)'
+    },
+    {
+      field: 'namespace',
+      description: 'Timeout for the check',
+      scheme: '[Lookup Selector](#lookup-selector)'
+    },
+    {
+      field: 'type',
+      description: 'Timeout for the check',
+      scheme: '[Lookup Selector](#lookup-selector)'
+    }
+  ]}
+/>
+
+#### Lookup selector
+
+Lookup specifies the type of lookup to perform.
+
+<Fields
+  rows={[
+    {
+      field: 'expr',
+      description: 'Expr is a cel-expression',
+      scheme: 'string'
+    },
+    {
+      field: 'value',
+      description: 'Value is the static value to use',
+      scheme: 'string'
+    },
+    {
+      field: 'value',
+      description: 'Label specifies the key to lookup on the label',
+      scheme: 'string'
+    }
+  ]}
+/>
+
+## Inserting checks into different namespaces
+
+You can specify different namespaces for checks using the `namespace` field. This is helpful when checks are dynamically generated via transformation
+and need to be assigned their respective namespace.
+
+```yaml title="alertmanager.yaml"
+apiVersion: canaries.flanksource.com/v1
+kind: Canary
+metadata:
+  name: alertmanager
+spec:
+  interval: 30
+  alertmanager:
+    - url: https://alertmanager.demo.aws.flanksource.com
+      name: alertmanager-check
+      alerts:
+        - .*
+      ignore:
+        - KubeScheduler.*
+      exclude_filters:
+        namespace: elastic-system
+      transform:
+        expr: |
+          results.alerts.map(r, {
+            'name': r.name + r.fingerprint,
+            // highlight-next-line
+            'namespace': 'namespace' in r.labels ? r.labels.namespace : '',
+            'labels': r.labels,
+            'icon': 'alert',
+            'message': r.message,
+            'description': r.message,
+          }).toJSON()
+```
+
+The above alertmanager canary can reside on any namespace and the check it generates are assigned the correct namespace derived from the alerts.
+

canary-checker/docs/reference/1-kubernetes.mdx

@@ -7,8 +7,8 @@ sidebar_class_name: popular
 
 The Kubernetes check performs requests on Kubernetes resources such as Pods to get the desired information.
 
-
 ```yaml title="junit.yaml"  file=../../../modules/canary-checker/fixtures/k8s/kubernetes-minimal_pass.yaml
+
 ```
 
 <HealthCheck name="kubernetes" edition="standard" connection="kubeconfig"  rows={[
@@ -22,10 +22,9 @@ The Kubernetes check performs requests on Kubernetes resources such as Pods to g
 
 ]}/>
 
-## Ready
-
-Using `ready: true` is functionally equivalent to:
+## Healthy
 
+Using `healthy: true` is functionally equivalent to the test expression above:
 
 ```yaml
 apiVersion: canaries.flanksource.com/v1
@@ -38,6 +37,8 @@ spec:
     - namespace: kube-system
       name: kube-system
       kind: Pod
+      //highlight-next-line
+      healthy: true
       resource:
         labelSelector: k8s-app=kube-dns
       namespaceSelector:
@@ -48,16 +49,26 @@ spec:
           map(i, i.Object).
           filter(i, !k8s.isHealthy(i)).
           map(i, "%s/%s -> %s".format([i.metadata.namespace, i.metadata.name, k8s.getHealth(i).message])).join('\n')
-      test:
-        expr: dyn(results).all(x, k8s.isHealthy(x))
 ```
 
-See the CEL <CommonLink to="cel" anchor="kubernetes">*Kubernetes*</CommonLink> docs for more details on the `k8s.isHealthy` and other functions available
+See the CEL <CommonLink to="cel" anchor="kubernetes">_Kubernetes_</CommonLink> docs for more details on the `k8s.isHealthy` and other functions available
+
+## Ready
+
+Similar to the `healthy` flag, there's also a `ready` flag which is functionally equivalent to having the following test expression
+
+```
+dyn(results).all(x, k8s.isReady(x))
+```
+
+---
 
 <details summary="Checking for certificate readiness">
 <div>
 
 ```yaml title="junit.yaml"  file=../../../modules/canary-checker/fixtures/k8s/certmanager.yaml
+
 ```
+
 </div>
 </details>

canary-checker/sidebars.js

@@ -67,7 +67,6 @@ module.exports = {
           id: 'concepts/secret-management',
           label: 'Secret Management'
         },
-
         {
           type: 'category',
           label: 'Expressions',

mission-control/docs/installation/aws-eks.mdx

@@ -125,24 +125,24 @@ helm install mission-control  \
 (b) Modify the trust policy of the IAM role by changing the OIDC arn, OIDC endpoint and the namespace below.
 ```json
 {
-	"Version": "2012-10-17",
-	"Statement": [
-			{
-					"Effect": "Allow",
-					"Principal": {
-							"Federated": "arn:aws:iam::7458xxxxxxxx:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx"
-					},
-					"Action": "sts:AssumeRoleWithWebIdentity",
-					"Condition": {
-							"StringEquals": {
-									"oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:config-db-sa",
-									"oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:mission-control-sa",
-									"oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:canary-checker-sa",
-									"oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:aud": "sts.amazonaws.com"
-							}
-					}
-			}
-	]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::7458xxxxxxxx:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:config-db-sa",
+          "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:mission-control-sa",
+          "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:sub": "system:serviceaccount:namespace:canary-checker-sa",
+          "oidc.eks.us-east-1.amazonaws.com/id/4D3C9C8xxxx:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+  ]
 }
 ```
 

mission-control/docs/installation/chart-permissions.md

@@ -0,0 +1,36 @@
+# Fine tuning permission
+
+## Canary Checker
+
+Canary Checker, by default, uses a highly permissive service account.
+You can configure the permissions on that service account via the helm values.
+
+```yaml title="values.yaml"
+....
+rbac:
+  # Whether to create cluster-wide or namespaced roles
+  cluster_role: false
+
+  # for secret management with valueFrom
+  tokenRequest: true
+  secrets: true
+  configmaps: true
+
+  # for use with kubernetes resource lookups
+  readAll: true
+
+  # for pod and junit canaries
+  podsCreateAndDelete: true
+
+  # for pod canary
+  ingressCreateAndDelete: true
+
+  # for kubernetes resource check & namespace check
+  namespaceCreateAndDelete: true
+```
+
+The first thing to decide on is whether to grant cluster role access or namespace access
+to the service account.
+
+If certain checks do not need to be performed, the corresponding permissions required for them can be disabled.
+Example: the `readAll` permission is essential to run the Kubernetes lookup check.