Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get allowed kubectl builder verbs and resources dynamically #981

Open
mszostok opened this issue Feb 14, 2023 · 0 comments
Open

Get allowed kubectl builder verbs and resources dynamically #981

mszostok opened this issue Feb 14, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@mszostok
Copy link
Contributor

Overview

The kubectl plugins requires manual configuration for interactive builder.

This can be removed and we should take the allowed verbs and resources (kinds) based on the configured RBAC rules.

There is a SelfSubjectRulesReviews(). that we can use for that purpose.

type K8sAuth struct {
	cli v1.AuthorizationV1Interface
}

func NewK8sAuth(cli v1.AuthorizationV1Interface) *K8sAuth {
	return &K8sAuth{
		cli: cli,
	}
}

func (c *K8sAuth) GetAllowedResources(ns string) ([]authv1.ResourceRule, error) {
	sar := &authv1.SelfSubjectRulesReview{
		Spec: authv1.SelfSubjectRulesReviewSpec{
			Namespace: ns,
		},
	}
	response, err := c.cli.SelfSubjectRulesReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
	if err != nil {
		return nil, err
	}

	return response.Status.ResourceRules, nil
}

Based on your perms it will return a list of resource rules:

v1.SubjectRulesReviewStatus{
  ResourceRules: []v1.ResourceRule{
    v1.ResourceRule{
      Verbs: []string{
        "create",
      },
      APIGroups: []string{
        "authorization.k8s.io",
      },
      Resources: []string{
        "selfsubjectaccessreviews",
        "selfsubjectrulesreviews",
      },
      ResourceNames: nil,
    },
    v1.ResourceRule{
      Verbs: []string{
        "get",
        "list",
        "watch",
      },
      APIGroups: []string{
        "",
      },
      Resources: []string{
        "nodes",
        "nodes/proxy",
        "services",
        "endpoints",
        "pods",
      },
      ResourceNames: nil,
    },
    v1.ResourceRule{
      Verbs: []string{
        "get",
        "list",
        "watch",
      },
      APIGroups: []string{
        "extensions",
      },
      Resources: []string{
        "ingresses",
      },
      ResourceNames: nil,
    },
  },
  NonResourceRules: []v1.NonResourceRule{
    v1.NonResourceRule{
      Verbs: []string{
        "get",
      },
      NonResourceURLs: []string{
        "/healthz",
        "/livez",
        "/readyz",
        "/version",
        "/version/",
      },
    },
    v1.NonResourceRule{
      Verbs: []string{
        "get",
      },
      NonResourceURLs: []string{
        "/.well-known/openid-configuration",
        "/openid/v1/jwks",
      },
    },
    v1.NonResourceRule{
      Verbs: []string{
        "get",
      },
      NonResourceURLs: []string{
        "/api",
        "/api/*",
        "/apis",
        "/apis/*",
        "/healthz",
        "/livez",
        "/openapi",
        "/openapi/*",
        "/readyz",
        "/version",
        "/version/",
      },
    },
  },
  Incomplete: false,
  EvaluationError: "",
}

However, if you have a cluster admin it will return * so we need to probably use discovery client and take the API Resources as we do here.

The next thing is to remove the not supported verbs/resources by interactive builder. For example, exec, apply etc. We don't support them as they require adjusted flow. For example, exec should be constructed only without interactivity, only with inlined commands like kubectl exec mypod -- date. For apply we should print additional input field to specify the external URL or paste K8s object.

Reason

Simplify the kubecl builder configuration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Botkube
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mszostok