Open paullaffitte opened 3 years ago
Sorry, I didn't see this issue until now. This is indeed a bit unclear and confusing, but expected behaviour.
Permissions are basically a tuple of (resource, serviceAccount, action)
, for example (pod, kube-system, list)
. In other words, this has three dimensions.
The primary command, access-matrix
takes a defined serviceAccount (usually your current user), and makes a slice through this space, i.e. (resource, serviceAccout=you, action)
. The --sa
flag changes the layer to a different one, for example with --sa=other
it will produce the slice (resource, serviceAccount=other, action)
. This slice is then shown as a matrix.
On the other hand, the access-matrix for <resource>
command fixes the resource in the space and produces a slice like (resource=pod, serviceAccount, action)
. So specifying the flag --sa
does not make sense, otherwise the matrix would become a line along the action dimension: (resource=pod, serviceAccount=other, action)
.
If you have an idea how to express this better in the documentation, I'm happy to review your suggestion!
Expected behavior I would expect the documentation to match the binary capabilities.
Actual behavior Some flags described in the documentation are not available in the plugin.
Steps To Reproduce
kubectl access-matrix for pod --sa cloud-controller-manager -n ccmop
It outputs the following:
Context:
Additional context ~