search

corneliusweig / rakkess

Review Access - kubectl plugin to show an access matrix for k8s server resources
Apache License 2.0
1.32k stars 55 forks source link

More powerful resource matching (ERRO[0005] determine requested resource: no matches for ...) #139

Open marians opened 3 years ago

marians commented 3 years ago

In a cluster with a CRD named Organization (long name: organizations.security.giantswarm.io), the following command works fine:

$ kubectl access-matrix resource organizations

However, when I use the full CRD name instead, this happens:

$ kubectl access-matrix resource organizations.security.giantswarm.io
ERRO[0005] determine requested resource: no matches for /, Resource=organizations.security.giantswarm.io

I expected to be able to use the full name, like it's the case with kubectl get <resource>.

corneliusweig commented 3 years ago

Interesting, thanks for reporting! Can you check if other CRDs have the same problem?

Also, please enable verbose logging to make debugging easier. I don't have access to a gs cluster :)

marians commented 3 years ago

Same problem with other CRDs. 

$ k access-matrix resource azureclusteridentities.infrastructure.cluster.x-k8s.io -v=debug
DEBU[0000] Set log-level to debug
ERRO[0005] determine requested resource: no matches for /, Resource=azureclusteridentities.infrastructure.cluster.x-k8s.io

$ k access-matrix resource azureclusteridentities -v=debug
DEBU[0000] Set log-level to debug
DEBU[0000] fetching clusterRoles
DEBU[0000] fetching ClusterRoleBindings
DEBU[0000] Skipping roles and rolebindings because namespace is missing
NAME                                     KIND            SA-NAMESPACE       LIST  CREATE  UPDATE  DELETE
Admins                                   Group                              ✔     ✖       ✖       ✖
automation                               ServiceAccount  default            ✔     ✖       ✖       ✖
azure-operator-5-5-2                     ServiceAccount  giantswarm         ✔     ✔       ✔       ✔
chart-operator-unique                    ServiceAccount  giantswarm         ✔     ✔       ✔       ✔
clusterrole-aggregation-controller       ServiceAccount  kube-system        ✔     ✔       ✔       ✔
default                                  ServiceAccount  flux-app           ✔     ✔       ✔       ✔
dex                                      ServiceAccount  giantswarm         ✔     ✔       ✔       ✔
draughtsman                              ServiceAccount  draughtsman        ✔     ✔       ✔       ✔
g8s.gollum.westeurope.azure.gigantic.io  User                               ✔     ✔       ✔       ✔
gatekeeper-admin                         ServiceAccount  gatekeeper-system  ✔     ✔       ✔       ✔
generic-garbage-collector                ServiceAccount  kube-system        ✔     ✖       ✔       ✔
giantswarm:giantswarm-admins             Group                              ✔     ✔       ✔       ✔
horizontal-pod-autoscaler                ServiceAccount  kube-system        ✔     ✖       ✖       ✖
namespace-controller                     ServiceAccount  kube-system        ✔     ✖       ✖       ✔
resourcequota-controller                 ServiceAccount  kube-system        ✔     ✖       ✖       ✖
system:kube-controller-manager           User                               ✔     ✖       ✖       ✖
system:masters                           Group                              ✔     ✔       ✔       ✔
tiller-giantswarm                        ServiceAccount  kube-system        ✔     ✔       ✔       ✔
Only ClusterRoleBindings are considered, because no namespace is given.