Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth can-i could support GroupVersionResources with * for resource within a specific group #1549

Open
djmcgreal-cc opened this issue Jan 24, 2024 · 5 comments · May be fixed by kubernetes/kubernetes#124943
Open

auth can-i could support GroupVersionResources with * for resource within a specific group #1549

djmcgreal-cc opened this issue Jan 24, 2024 · 5 comments · May be fixed by kubernetes/kubernetes#124943
Assignees
@TessaIO
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@djmcgreal-cc
Copy link

What would you like to be added:

Support for kubectl auth can-i verb *.group queries.

Why is this needed:

Currently it's not possible to make such queries because the code only checks if the whole argument is *.
@djmcgreal-cc djmcgreal-cc added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 24, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jan 24, 2024
@mpuckett159
Copy link
Contributor

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourceattributes-v1-authorization-k8s-io
Please see this documentation for the API. The endpoint on the API server itself (which is what kubectl is querying) appears to only support explicitly the * character for a return of all resources, and so we would need to work with the SIG-Auth to attempt to update how that API works.

cc @enj for thoughts on this.

@djmcgreal-cc
Copy link
Author

The group parameter is independent from resource and also accepts a *?

@enj
Copy link
Member

enj commented Apr 3, 2024

Running kubectl auth can-i verb *.apps causes the following API call:

{
  "kind": "SelfSubjectAccessReview",
  "apiVersion": "authorization.k8s.io/v1",
  "spec": {
    "resourceAttributes": {
      "namespace": "default",
      "verb": "verb",
      "resource": "*.apps"  # not the best parsing
    }
  }
}

The user likely wants the following API call instead:

{
  "kind": "SelfSubjectAccessReview",
  "apiVersion": "authorization.k8s.io/v1",
  "spec": {
    "resourceAttributes": {
      "namespace": "default",
      "verb": "verb",
      "resource": "*",  # this seems like the
      "group": "apps"   # more correct parsing
    }
  }
}

It should be fine to add more nuanced special case logic around *.foo being treated as resource=* and group=foo. We should be careful not to break any existing flows, of course.

@eddiezane
Copy link
Member

Ah that makes sense. Thanks Mo!

I think we'd accept a PR that expands on this parsing (or maybe allows for a --group flag?).

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 3, 2024
@TessaIO
Copy link
Contributor

TessaIO commented May 13, 2024

/assign

@TessaIO TessaIO linked a pull request May 18, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TessaIO TessaIO

Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support GroupVersionResources with all resources inside a specific group TessaIO/kubernetes
6 participants
@eddiezane @enj @mpuckett159 @k8s-ci-robot @djmcgreal-cc @TessaIO