Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added functionality to fetch subresources #57

Closed
wants to merge 1 commit into from
Closed

Added functionality to fetch subresources #57

wants to merge 1 commit into from

Conversation

eightseventhreethree
Copy link

Added fetching subresources. The filtering mechanism is unchanged since the syntax is:

rbac-tool gen --deny-resources=clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,pods/exec. --allowed-verbs=get,list,watch

@eightseventhreethree
Copy link
Author

#48

@gadinaor gadinaor self-requested a review September 22, 2022 07:39
@gadinaor-r7
Copy link
Contributor

@eightseventhreethree - thanks for the PR.

I looked into the change here and while it is minimal - it would change the entire behavior in a way that is likely broader then what one would intend.

subresources such as pods/exec have specific verbs that they support - the way that the code works today is by grouping rules for resources that share verbs.

The introduction of the change with existing code would create policies that are inaccurate - for example pods/exec with list verb - which is not supported/relevant and would create confusion.

Take a look at the output of the new command kubectl rbac-tool show - it should give a better color why supporting subresources requires a slightly different UX and implementation

@eightseventhreethree
Copy link
Author

@eightseventhreethree - thanks for the PR.

I looked into the change here and while it is minimal - it would change the entire behavior in a way that is likely broader then what one would intend.

subresources such as pods/exec have specific verbs that they support - the way that the code works today is by grouping rules for resources that share verbs.

The introduction of the change with existing code would create policies that are inaccurate - for example pods/exec with list verb - which is not supported/relevant and would create confusion.

Take a look at the output of the new command kubectl rbac-tool show - it should give a better color why supporting subresources requires a slightly different UX and implementation

Understood, however in it's current implementation it's also non functional since without the subresources the RBAC policy doesn't actually allow you access to the resources you have defined.

@gadinaor-r7
Copy link
Contributor

@eightseventhreethree - i'll find time to further look into it .

@gadinaor-r7
Copy link
Contributor

gadinaor-r7 commented Nov 24, 2022
edited
Loading

kubectl rbac-tool show should provide enough functionality to address this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gadinaor gadinaor Awaiting requested review from gadinaor

Assignees
No one assigned
Labels
under review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eightseventhreethree @gadinaor-r7 @gadinaor