Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Rolebindings from lookup #42

Closed
sudermanjr opened this issue Dec 3, 2019 · 2 comments · Fixed by #141
Closed

Missing Rolebindings from lookup #42

sudermanjr opened this issue Dec 3, 2019 · 2 comments · Fixed by #141
Assignees
@sudermanjr
Labels
priority: could Future work depending on bandwidth and availability
Milestone
Q4 2020

Comments

@sudermanjr
Copy link
Member

I gave a service account circleci in the namespace helm-system the rolebinding to give it cluster-admin in the development namespace, and rbac-lookup doesn't seem to detect this.

└─ k get rolebinding rbac-definition-circleci-cluster-admin -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2019-12-03T18:19:04Z"
  labels:
    rbac-manager: reactiveops
  name: rbac-definition-circleci-cluster-admin
  namespace: development
  ownerReferences:
  - apiVersion: rbacmanager.reactiveops.io/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: RBACDefinition
    name: rbac-definition
    uid: 4919eaca-d8ef-4382-8cbb-2cdbe56f9a47
  resourceVersion: "89419"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/development/rolebindings/rbac-definition-circleci-cluster-admin
  uid: ce79f178-d006-4756-96cb-638ebdc1f9d3
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: circleci
  namespace: helm-system
 ~/azure-networking  ⎈  sudermanjr-test development 

└─ rbac-lookup circleci -owide
SUBJECT                                SCOPE          ROLE                   SOURCE
ServiceAccount/helm-system:circleci    cluster-wide   ClusterRole/circleci   ClusterRoleBinding/rbac-definition-circleci-circleci
@stale
Copy link

stale bot commented Oct 17, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Marked as stale by stalebot label Oct 17, 2020
@sudermanjr sudermanjr reopened this Oct 22, 2020
@stale stale bot removed the stale Marked as stale by stalebot label Oct 22, 2020
@sudermanjr
Copy link
Member Author

sudermanjr commented Oct 22, 2020
edited
Loading

Okay, I think I might have tracked this down. Steps to reproduce:

  1. Create service account circleci in namespace one
  2. Create this rolebinding in two namespace, both two and three
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: circleci-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: circleci
  namespace: one

Results:

▶ rbac-lookup circle -owide
SUBJECT                        SCOPE   ROLE                        SOURCE
ServiceAccount/one:circleci    two     ClusterRole/cluster-admin   RoleBinding/circleci-cluster-admin

▶ k delete ns two
namespace "two" deleted

▶ rbac-lookup circleci -owide
SUBJECT                        SCOPE   ROLE                        SOURCE
ServiceAccount/one:circleci    three   ClusterRole/cluster-admin   RoleBinding/circleci-cluster-admin

sudermanjr pushed a commit that referenced this issue Oct 22, 2020
Write tests to prove that #42 is a bug
34a0eea
@sudermanjr sudermanjr mentioned this issue Oct 22, 2020
Merged
@sudermanjr sudermanjr added this to the Q4 2020 milestone Oct 22, 2020
@sudermanjr sudermanjr added priority: could Future work depending on bandwidth and availability and removed priority: could Future work depending on bandwidth and availability labels Oct 22, 2020
@sudermanjr sudermanjr self-assigned this Oct 22, 2020
@sudermanjr sudermanjr added the priority: could Future work depending on bandwidth and availability label Oct 22, 2020
lucasreed pushed a commit that referenced this issue Oct 23, 2020
Fix logic with service accounts. Update e2e tests. Add test coverage (#…
030e248 
…141)

* Write tests to prove that #42 is a bug

* Fix logic with subject key

* add more test coverage

* more e2e tests to cover bugs

* udpate kind and kube images for e2e tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sudermanjr sudermanjr

Labels
priority: could Future work depending on bandwidth and availability
Projects
None yet
Milestone
Q4 2020
Development

Successfully merging a pull request may close this issue.

Fix logic with service accounts. Update e2e tests. Add test coverage FairwindsOps/rbac-lookup
1 participant
@sudermanjr