Closed jinnovation closed 5 months ago
Relevant API: SelfSubjectAccessReview
POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews
Example query:
POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews HTTP/1.1
Accept: application/json, */*;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 246
Content-Type: application/json
Host: 127.0.0.1:8001
User-Agent: HTTPie/3.2.1
{
"apiVersion": "authorization.k8s.io/v1",
"kind": "SelfSubjectAccessReview",
"spec": {
"resourceAttributes": {
"group": "apps",
"resource": "deployments",
"verb": "list"
}
}
}
Example response:
{
"apiVersion": "authorization.k8s.io/v1",
"kind": "SelfSubjectAccessReview",
"metadata": {
"creationTimestamp": null,
"managedFields": [
{
"apiVersion": "authorization.k8s.io/v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:spec": {
"f:resourceAttributes": {
".": {},
"f:group": {},
"f:resource": {},
"f:verb": {}
}
}
},
"manager": "HTTPie",
"operation": "Update",
"time": "2023-03-18T19:35:40Z"
}
]
},
"spec": {
"resourceAttributes": {
"group": "apps",
"resource": "deployments",
"verb": "list"
}
},
"status": {
"allowed": true,
"reason": "access granted by IAM permissions."
}
}
curl -d "@data.json" -H "Content-Type: application/json" -X POST http://127.0.0.1:8001/apis/authorization.k8s.io/v1/selfsubjectaccessreviews
Related to #66.
Many Kele operations tacitly assume that the user has full authorization within the given cluster. This is not a valid assumption. This is, for example, a long-standing issue with kubernetes-el that prevents entire swathes of potential users from leveraging it.
Take
kele-get
andkele-list
, both of which assume that the user has list permissions for the resource in question (for completion for the former, by definition for the latter). Attempting to use either of these commands in such circumstances results in an error like follows:This is consistent with the underlying issue:
Each Kele suffix effectively needs some notion of authorization that either flat-out disables the suffix or falls back to an alternative experience in "unauthorized cases," e.g. disabling completion for
kele-get
when user doesn't have list permissions.Definition of Done