search

corneliusweig / rakkess

Review Access - kubectl plugin to show an access matrix for k8s server resources
Apache License 2.0
1.3k stars 56 forks source link

Add support for use verb #30

Closed surajssd closed 5 years ago

surajssd commented 5 years ago

Expected behavior

I want results for use verb.

Actual behavior

Right now if I list the resource podsecuritypolicy and define verb use I get error.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Just setup a cluster that has PodSecurityPolicy admission plugin enabled. Also install PSP in your cluster, since they are not automatically installed. If you want an example of a PSP then just do kubectl apply -f URL on the files in these two links: https://github.com/kinvolk/terraform-render-bootkube/blob/kinvolk-master/resources/manifests/psp-restricted.yaml and https://github.com/kinvolk/terraform-render-bootkube/blob/kinvolk-master/resources/manifests/psp-privileged.yaml

  2. Once you have cluster with PSP run following command:

$ rakkess resource psp --verbs use
ERRO[0000] unexpected verbs: [use]
  1. Run with option -v debug to show extra logging.
$ rakkess resource psp -v debug --verbs use
DEBU[0000] Set log-level to debug                       
ERRO[0000] unexpected verbs: [use]

Context:

$ rakkess version --full
rakkess:    v0.4.0
platform:   linux/amd64
git commit: b851b199ec7f14bad3b4f7ddec27aa72a6258f31
build date: 2019-04-26T18:43:27Z
go version: go1.12.4
compiler:   gc

Additional context

The PSPs are made usable by using verb use in the Role or ClusterRole and then it is bound to serviceaccounts or users using RoleBinding ro ClusterRoleBinding. Like here is an example from the PSP snippets link I have posted above.

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restricted-psp
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['use']
  resourceNames:
  - restricted
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: restricted-psp-system-authenticated
roleRef:
  kind: ClusterRole
  name: restricted-psp
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

Above snippet is from this source https://github.com/kinvolk/terraform-render-bootkube/blob/0913331140747fd464946981c1d43a895d7a630b/resources/manifests/psp-restricted.yaml#L52-L75

surajssd commented 5 years ago

So tl;dr of this whole issue is I want to find out for a particular PSP who all can use it.

corneliusweig commented 5 years ago

Hi @surajssd, thanks for taking the time and reporting this. This is definitely a use-case that rakkess should support. I would suggest to allow arbitrary verbs for the rakkess resource subcommand, because basically anything can be put into a clusterrole. On the other hand I would not want to touch the list of allowed verbs for the main command, because only verbs listed in kubectl api-resources -owide make sense there. Do you agree?

corneliusweig commented 5 years ago

@surajssd Can you check if the pre-release version works as expected? https://github.com/corneliusweig/rakkess/releases/tag/v0.4.1-pre

For the example above, please remember that the ClusterRole only applies to a single named resource. So this will work:

rakkess resource psp restricted --verbs use

and this will ignore your ClusterRole:

rakkess resource psp --verbs use
surajssd commented 5 years ago

@corneliusweig the above commands worked for me with the release you have proided