Subresources support for generated rules
scorsair opened this issue · comments
What would you like to be added:
It would be nice to add subresources support to RBAC generation fuctional.
Why is this needed:
It can make generation rules useful =)
Now I have to rewrite them manually after generation.
Thanks for the reference, I haven't seen that proposition before. My point is the generated rules should contains all possible apiGroups included subResources like pod/exec, pod/log & etc. Especially if we use [""]. Current rules that we generate with [""] not full and don't cover all cluster permissions because of lack of subresources.
It would be nice to support namespaced resources:
--namespaced=true|false|none # true - only namespaced, false - all resources, none - only non namespaced resources
It would be nice to support namespaced resources:
--namespaced=true|false|none # true - only namespaced, false - all resources, none - only non namespaced resources
@scorsair which command you are referring to?
It would be nice to support namespaced resources:
--namespaced=true|false|none # true - only namespaced, false - all resources, none - only non namespaced resources
@scorsair which command you are referring to?
All my proposals about rbac-tool gen
Example for namespaced resources is: kubectl api-resources --namespaced=true
@scorsair - can you please provide some use cases - how specifically would you use namespaced
flag?
What policies are you trying to generate?
The main purpose is make a pipeline for generating roles for customers per namespace + clusterwide. Roles should be specific and contains only allowed items. Currently we cannot use tool cause lack of subresources in generated roles when we use asterisk.
The namespaced resources are nice to have feature to reduce rules for better visibility and support.