polaris audit namespace error

Pascha23 commented 1 year ago

What happened?

When I try to audit a specific Namespace in-cluster I receive following error:

time="2023-08-22T03:05:17Z" level=info msg="Loading nodes" time="2023-08-22T03:05:17Z" level=info msg="Loading namespaces" time="2023-08-22T03:05:17Z" level=info msg="Loading pods" time="2023-08-22T03:05:17Z" level=info msg="Setting up restmapper" time="2023-08-22T03:05:18Z" level=info msg="Loading autoscaling/HorizontalPodAutoscaler" time="2023-08-22T03:05:18Z" level=info msg="Loading policy/PodDisruptionBudget" time="2023-08-22T03:05:18Z" level=info msg="Loading Service" time="2023-08-22T03:05:18Z" level=info msg="Loading networking.k8s.io/Ingress" time="2023-08-22T03:05:18Z" level=info msg="Loading rbac.authorization.k8s.io/RoleBinding" time="2023-08-22T03:05:18Z" level=info msg="Loading rbac.authorization.k8s.io/Role" time="2023-08-22T03:05:18Z" level=info msg="Loading rbac.authorization.k8s.io/ClusterRole" time="2023-08-22T03:05:18Z" level=warning msg="Error retrieving parent object API v1 and Kind clusterroles because of error: the server could not find the requested resource" time="2023-08-22T03:05:18Z" level=error msg="Error fetching Kubernetes resources the server could not find the requested resource"

What did you expect to happen?

Polaris audit a whole cluster works great, but when it is specified to a certain namespace it errors. I would wish that it would work also only with a specific namespace.

How can we reproduce this?

Command in Container: polaris audit --namespace polaris --log-level trace

RBAC: `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: polaris labels: name: polaris rules:

apiGroups:
- '' resources:
- 'nodes' verbs:
- 'get'
- 'list'
apiGroups:
- 'monitoring.coreos.com' resources:
- 'prometheuses'
- 'alertmanagers' verbs:
- 'get'
- 'list'
apiGroups:
- 'rbac.authorization.k8s.io' resources:
- 'clusterroles'
- 'clusterrolebindings'
- 'roles'
- 'rolebindings' verbs:
- 'get'
- 'list'
  
  apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: polaris labels: name: polaris roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: polaris subjects:
kind: ServiceAccount name: polaris namespace: polaris

apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: polaris-view labels: name: polaris-view roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view subjects:
kind: ServiceAccount name: polaris namespace: polaris`

Version

8.4.0, 7.3.2

Search

[X] I did search for other open and closed issues before opening this.

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Additional context

No response

sudermanjr commented 1 year ago

Seems like maybe it's trying to look for a clusterrole at the namespace level? @rbren any thoughts?

rbren commented 1 year ago

Yup looks like a bug!

We'll have to get smart about skipping non-namespaced resources here: https://github.com/FairwindsOps/polaris/blob/10e82cf0aeb3e1256c87f0dc20d7de7f556c28c6/pkg/kube/resources.go#L339

mikutas commented 11 months ago

not stale

mikutas commented 9 months ago

not stale

FairwindsOps / polaris