If I run oc access-matrix r secret -n=istio-system It shows that a lot of other groups can delete the secret
NAME KIND SA-NAMESPACE CREATE GET LIST WATCH UPDATE PATCH DELETE DELETECOLLECTION
okdprod-cluster-admin Group ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
okdprod-cluster-reader Group ✖ ✔ ✔ ✔ ✖ ✖ ✖ ✖
okdprod-cluster-user Group ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
okdprod-self-provisioner Group ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
I've also verified that "who-can" is correct. The group "okdprod-self-provisioner" can create a secret, but not delete a secret.
But the access-matrix shows that the group can do everything.
Expected behavior access-matrix should match with the command "oc who-can"
Actual behavior access-matrix is not consistent with "oc who-can"
Steps To Reproduce Steps to reproduce the behavior: N/A
Context: Rakess version: rakkess: v0.5.0 platform: linux/amd64 git commit: e52bef14064d68573850f4f64f825b7be4800457 build date: 2021-07-25T09:13:28Z go version: go1.16.6 compiler: gc
oc client version: oc version Client Version: 4.11.0-0.okd-2022-08-20-022919 Kustomize Version: v4.5.4 Server Version: 4.11.0-0.okd-2022-08-20-022919 Kubernetes Version: v1.24.0-2368+b62823b40c2cb1-dirty
OKD version: 4.11.0-0.okd-2022-08-20-022919
kubectl version
Additional context If I run the following command, you can see which groups and users can delete a secret in the namespace istio-system.
If I run
oc access-matrix r secret -n=istio-system
It shows that a lot of other groups can delete the secretI've also verified that "who-can" is correct. The group "okdprod-self-provisioner" can create a secret, but not delete a secret. But the access-matrix shows that the group can do everything.