nati-elmaliach
commented
1 month ago Hey there, I'll be happy to take this one :)
Open doronkg opened 1 month ago
nati-elmaliach
commented
1 month ago Hey there, I'll be happy to take this one :)
Is your feature request related to a problem? RoleBindings can be created while referencing non-existing users/groups/ServiceAccounts on one hand or Roles/ClusterRoles on the other hand.
Go through all existing RoleBindings and verify if they are applied to existing subjects and roles. Utilize
ShowReasonflag to indicate that the reason the RoleBinding was considered unused was because it referenced an unused subject or role.NOTE: Since a RoleBinding can include multiple subject references, discovering a single non-existing subject (one of several existing ones) might indicate the RoleBinding as unused while it actually is, in that case, it shouldn't be considered as unused.
Examples
In the attached example, we could see a RoleBinding with references to both users: `alice` & `bob`. 1. Assuming both users `alice` & `bob` does not exist, the Role is not applied to them, hence the RoleBinding will be considered as **UNUSED**. 2. Assuming both users `alice` & `bob` exist, but the Role does not exist, it is not applied to them, hence the RoleBinding will be considered as **UNUSED**. 3. Assuming user `alice` does exist and the Role is applied to it, even while `bob` does not exist - the RoleBinding will be considered as **USED**. ``` apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-pods namespace: default subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io - kind: User name: bob apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io ```Describe the solution you'd like
Feature checklist
pkg/kor/rolebindings.gopkg/kor/rolebindings_test.gopkg/kor/create_test_resources.gopkg/kor/all.gopkg/kor/delete.gopkg/kor/multi.gocmd/kor/rolebindings.gocharts/kor/templates/role.yamlREADME.md