feature: Discover unused ClusterRoleBindings

[doronkg]

Is your feature request related to a problem? ClusterRoleBindings can be created while referencing non-existing users/groups/ServiceAccounts on one hand or ClusterRoles on the other hand.

Go through all existing ClusterRoleBindings and verify if they are applied to existing subjects and ClusterRoles. Utilize ShowReason flag to indicate that the reason the ClusterRoleBinding was considered unused was because it referenced an unused subject or ClusterRole.

NOTE: Since a ClusterRoleBinding can include multiple subject references, discovering a single non-existing subject (one of several existing ones) might indicate the ClusterRoleBinding as unused while it actually is, in that case, it shouldn't be considered as unused.

Examples

In the attached example, we could see a ClusterRoleBinding with references to both users: `alice` & `bob`. 1. Assuming both users `alice` & `bob` does not exist, the ClusterRole is not applied to them, hence the ClusterRoleBinding will be considered as **UNUSED**. 2. Assuming both users `alice` & `bob` exist, but the ClusterRole does not exist, it is not applied to them, hence the ClusterRoleBinding will be considered as **UNUSED**. 3. Assuming user `alice` does exist and the ClusterRole is applied to it, even while `bob` does not exist - the ClusterRoleBinding will be considered as **USED**. ``` apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: read-pods-global subjects: - kind: User name: alice apiGroup: rbac.authorization.k8s.io - kind: User name: bob apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: pod-reader apiGroup: rbac.authorization.k8s.io ```

Describe the solution you'd like

$ kor clusterrolebindings
Unused ClusterRoleBindings:
+---+----------------+----------------------------------------------+-----------------------------+
| # | NAMESPACE |   RESOURCE NAME |                         REASON                                |
+---+----------------+----------------------------------------------+-----------------------------+
| 1 |           | example-crb-1   | ClusterRoleBinding references a non-existing ServiceAccount   |  
| 2 |           | example-crb-2   | ClusterRoleBinding references a non-existing ClusterRole      |
+---+----------------+----------------------------------------------+-----------------------------+

Feature checklist

• [ ] pkg/kor/clusterrolebindings.go
• [ ] pkg/kor/clusterrolebindings_test.go
• [ ] pkg/kor/create_test_resources.go
• [ ] pkg/kor/all.go
• [ ] pkg/kor/delete.go
• [ ] pkg/kor/multi.go
• [ ] pkg/kor/exceptions/clusterrolebindings
• [ ] cmd/kor/clusterrolebindings.go
• [ ] charts/kor/templates/role.yaml
• [ ] README.md

[doronkg]

@nati-elmaliach would you also like to claim this issue following #362? The logic would be pretty similar.

[nati-elmaliach]

@nati-elmaliach would you also like to claim this issue following #362? The logic would be pretty similar.

Sure thing. @yonahd please assign it to me.

[nati-elmaliach]

@doronkg @yonahd

Just a quick clarification:

• A ClusterRoleBinding is not tied to any specific namespace. How would you prefer the output to be displayed?

  • This command make no sense kor clsuterrolebindings --include-namespaces. should it throw, show a warning, or ignored ?

[yonahd]

Great questions You can see how it is handled in the persistent volume resource. Let me know if this covers your questions