Visualizing RBAC incorrectly classifies ServiceaAccount as missing
staranto opened this issue · comments
What happened:
See https://imgur.com/a/TpcIyRx
The sa/c-sa exists in the namespace as per this ..
kubectl get sa,roles,rolebindings -n staranto
NAME SECRETS AGE
serviceaccount/builder 2 5d17h
serviceaccount/c-sa 2 14m
serviceaccount/default 2 5d17h
serviceaccount/deployer 2 5d17h
NAME AGE
role.rbac.authorization.k8s.io/role-core 15h
role.rbac.authorization.k8s.io/role-privileged 7m5s
NAME AGE
rolebinding.rbac.authorization.k8s.io/admin 5d17h
rolebinding.rbac.authorization.k8s.io/c-sa-core-rolebinding 13m
rolebinding.rbac.authorization.k8s.io/c-sa-privileged-rolebinding 7m5s
rolebinding.rbac.authorization.k8s.io/system:deployers 5d17h
rolebinding.rbac.authorization.k8s.io/system:image-builders 5d17h
rolebinding.rbac.authorization.k8s.io/system:image-pullers 5d17h````
**What you expected to happen**:
I expect the c-sa subject to be rendered in the namespace and not flagged as missing.
**How to reproduce it (as minimally and precisely as possible)**:
`rbac-tool viz --outformat dot --outfile rbac.dot --include-subjects c-sa`
**Anything else we need to know?**:
**Environment**:
- Kubernetes version (use `kubectl version`):
Client Version: v1.18.3
Server Version: v1.17.1+912792b
- Cloud provider or configuration:
OpenShift 4.4.9
- Install tools:
rbac-tool version
Version: 0.9.0
Commit: 3b08e35c143a8b7ecf3a43303bca1c7dfe19c837
- Others:
dot -V
dot - graphviz version 2.43.0 (0)