From 1fc27104b1f84108a5bf30b1024b5927f6743169 Mon Sep 17 00:00:00 2001
From: gadinaor-r7 <78914287+gadinaor-r7@users.noreply.github.com>
Date: Mon, 12 Jun 2023 23:05:03 +0300
Subject: [PATCH] Do not add non-namespaced resources to a Kubernetes RBAC
 Role. Non-namespaced resources are cluster-scoped resources, and RBAC Roles
 are specific to a particular namespace. (#83)

---
 cmd/generate_cmd.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cmd/generate_cmd.go b/cmd/generate_cmd.go
index 26fb406..2a06667 100644
--- a/cmd/generate_cmd.go
+++ b/cmd/generate_cmd.go
@@ -56,7 +56,7 @@ rbac-tool gen --generated-type=ClusterRole --deny-resources=secrets., --allowed-
 				return fmt.Errorf("Failed to create kubernetes client - %v", err)
 			}
 
-			computedPolicyRules, err := generateRules(kubeClient.ServerPreferredResources, sets.NewString(denyResources...), sets.NewString(allowedGroups...), sets.NewString(allowedVerb...))
+			computedPolicyRules, err := generateRules(generateKind, kubeClient.ServerPreferredResources, sets.NewString(denyResources...), sets.NewString(allowedGroups...), sets.NewString(allowedVerb...))
 			if err != nil {
 				return err
 			}
@@ -122,7 +122,8 @@ func generateRole(generateKind string, rules []rbacv1.PolicyRule) (string, error
 	return writer.String(), nil
 }
 
-func generateRules(apiresourceList []*metav1.APIResourceList, denyResources sets.String, includeGroups sets.String, allowedVerbs sets.String) ([]rbacv1.PolicyRule, error) {
+func generateRules(generateKind string, apiresourceList []*metav1.APIResourceList, denyResources sets.String, includeGroups sets.String, allowedVerbs sets.String) ([]rbacv1.PolicyRule, error) {
+	isRole := generateKind == "Role"
 	errs := []error{}
 
 	computedPolicyRules := make([]rbacv1.PolicyRule, 0)
@@ -160,6 +161,11 @@ func generateRules(apiresourceList []*metav1.APIResourceList, denyResources sets
 
 		for _, kind := range apiGroup.APIResources {
 
+			if isRole && !kind.Namespaced {
+				//When generating role - non-namespaced resources are not relevant
+				continue
+			}
+
 			if denyResources.Has(fmt.Sprintf("%v.%v", strings.ToLower(kind.Name), strings.ToLower(gv.Group))) {
 				continue
 			}