search

jinnovation / kele.el

🥤 Spritzy Kubernetes cluster management for Emacs
https://jonathanj.in/kele.el/
Apache License 2.0
75 stars 4 forks source link

Kele should respect authorization for listing resources #152

Closed jinnovation closed 5 months ago

jinnovation commented 1 year ago

Related to #66.

Many Kele operations tacitly assume that the user has full authorization within the given cluster. This is not a valid assumption. This is, for example, a long-standing issue with kubernetes-el that prevents entire swathes of potential users from leveraging it.

Take kele-get and kele-list, both of which assume that the user has list permissions for the resource in question (for completion for the former, by definition for the latter). Attempting to use either of these commands in such circumstances results in an error like follows:

error in process sentinel: HTTP error

This is consistent with the underlying issue:

x curl 127.0.0.1:8001/apis/apps/v1/deployments
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "deployments.apps is forbidden: User \"EMAIL\" cannot list resource \"deployments\" in API group \"apps\" at the cluster scope: requires one of [\"container.deployments.list\"] permission(s).",
  "reason": "Forbidden",
  "details": {
    "group": "apps",
    "kind": "deployments"
  },
  "code": 403
}%

Each Kele suffix effectively needs some notion of authorization that either flat-out disables the suffix or falls back to an alternative experience in "unauthorized cases," e.g. disabling completion for kele-get when user doesn't have list permissions.

Definition of Done

jinnovation commented 1 year ago

Relevant API: SelfSubjectAccessReview

POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews
jinnovation commented 1 year ago

Example query:

POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews HTTP/1.1
Accept: application/json, */*;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 246
Content-Type: application/json
Host: 127.0.0.1:8001
User-Agent: HTTPie/3.2.1

{
    "apiVersion": "authorization.k8s.io/v1",
    "kind": "SelfSubjectAccessReview",
    "spec": {
        "resourceAttributes": {
            "group": "apps",
            "resource": "deployments",
            "verb": "list"
        }
    }
}

Example response:

{
    "apiVersion": "authorization.k8s.io/v1",
    "kind": "SelfSubjectAccessReview",
    "metadata": {
        "creationTimestamp": null,
        "managedFields": [
            {
                "apiVersion": "authorization.k8s.io/v1",
                "fieldsType": "FieldsV1",
                "fieldsV1": {
                    "f:spec": {
                        "f:resourceAttributes": {
                            ".": {},
                            "f:group": {},
                            "f:resource": {},
                            "f:verb": {}
                        }
                    }
                },
                "manager": "HTTPie",
                "operation": "Update",
                "time": "2023-03-18T19:35:40Z"
            }
        ]
    },
    "spec": {
        "resourceAttributes": {
            "group": "apps",
            "resource": "deployments",
            "verb": "list"
        }
    },
    "status": {
        "allowed": true,
        "reason": "access granted by IAM permissions."
    }
}
jinnovation commented 5 months ago 
curl -d "@data.json" -H "Content-Type: application/json" -X POST http://127.0.0.1:8001/apis/authorization.k8s.io/v1/selfsubjectaccessreviews