Allow fitering for clusterscoped/namespaced resources
MaxRink opened this issue · comments
What would you like to be added:
Add a flag to just generate RBAC for namespaced or clusterscoped resources
e.g. rbac-tool show --scope=cluster
or rbac-tool show --scope=namespace
Why is this needed:
to be able to just grant all possible rights for a specific namespace but prevent usage of those resources in other namespaces
This would allow for more granular usage of the generated roles
@MaxRink - let me just make sure I am getting this right.
If I run rbac-tool show --scope=cluster
- you would be getting:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations: null
creationTimestamp: null
labels: null
name: custom-cluster-role
rules:
- apiGroups:
- ""
resources:
- componentstatuses
verbs:
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces/finalize
verbs:
- update
- apiGroups:
- ""
resources:
- namespaces/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumes/status
verbs:
- get
- patch
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices/status
verbs:
- get
- patch
- update
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectrulesreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- get
- patch
- update
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- csidrivers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- get
- patch
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- get
- patch
- update
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas/status
verbs:
- get
- patch
- update
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations/status
verbs:
- get
- patch
- update
yes, ive quickly PoCed that with MaxRink@d8b1bda
basically scope cluster would get you all the tings that arent namespaced
@MaxRink great - I’ll have that merged and released asap.
Out of curiosity- what’s the entire workflow in which you generate this type of policy ? Can you share some color here 🙏🏼
Available as part of v1.12.0
We use it in combination with https://github.com/FairwindsOps/rbac-manager to generate serviceaccounts that have full rights in some namespaces but not in others, while basically being read-only everywhere.
Basically to prevent teams from altering platform components