Parts of aggregated ClusterRoles are being highlighted as unused #309

jordiprats · 2024-04-26T09:55:41Z

Describe the bug

ClusterRoles that are being aggregated to a another one, they appear unused in the report (POP-400)

To Reproduce

Using

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: demo-main
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-demo: "true"

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-demo: "true"
  name: demo-part
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list

Will appear unused, although it's being "used" by the ClusterRole that is being aggregated to (demo-main)

Expected behavior

ClusterRoles that are part of another ClusterRole shouldn't be highlighted

Versions (please complete the following information):

Popeye 0.21.3

Additional context
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

The text was updated successfully, but these errors were encountered:

jordiprats linked a pull request Apr 26, 2024 that will close this issue

Add support for ClusterRule aggregationRule #310

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parts of aggregated ClusterRoles are being highlighted as unused #309

Parts of aggregated ClusterRoles are being highlighted as unused #309

jordiprats commented Apr 26, 2024

Parts of aggregated ClusterRoles are being highlighted as unused #309

Parts of aggregated ClusterRoles are being highlighted as unused #309

Comments

jordiprats commented Apr 26, 2024