Skip to content

Commit

Permalink
Do not add non-namespaced resources to a Kubernetes RBAC Role. Non-na…
Browse files Browse the repository at this point in the history 
…mespaced resources are cluster-scoped resources, and RBAC Roles are specific to a particular namespace. (#83)
  • Loading branch information
@gadinaor-r7
gadinaor-r7 committed Jun 12, 2023
1 parent f36aac1 commit 1fc2710
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions cmd/generate_cmd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ rbac-tool gen --generated-type=ClusterRole --deny-resources=secrets., --allowed-
return fmt.Errorf("Failed to create kubernetes client - %v", err)
}

computedPolicyRules, err := generateRules(kubeClient.ServerPreferredResources, sets.NewString(denyResources...), sets.NewString(allowedGroups...), sets.NewString(allowedVerb...))
computedPolicyRules, err := generateRules(generateKind, kubeClient.ServerPreferredResources, sets.NewString(denyResources...), sets.NewString(allowedGroups...), sets.NewString(allowedVerb...))
if err != nil {
return err
}
Expand Down Expand Up @@ -122,7 +122,8 @@ func generateRole(generateKind string, rules []rbacv1.PolicyRule) (string, error
return writer.String(), nil
}

func generateRules(apiresourceList []*metav1.APIResourceList, denyResources sets.String, includeGroups sets.String, allowedVerbs sets.String) ([]rbacv1.PolicyRule, error) {
func generateRules(generateKind string, apiresourceList []*metav1.APIResourceList, denyResources sets.String, includeGroups sets.String, allowedVerbs sets.String) ([]rbacv1.PolicyRule, error) {
isRole := generateKind == "Role"
errs := []error{}

computedPolicyRules := make([]rbacv1.PolicyRule, 0)
Expand Down Expand Up @@ -160,6 +161,11 @@ func generateRules(apiresourceList []*metav1.APIResourceList, denyResources sets

for _, kind := range apiGroup.APIResources {

if isRole && !kind.Namespaced {
//When generating role - non-namespaced resources are not relevant
continue
}

if denyResources.Has(fmt.Sprintf("%v.%v", strings.ToLower(kind.Name), strings.ToLower(gv.Group))) {
continue
}
Expand Down

0 comments on commit 1fc2710

Please sign in to comment.