Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add metadata flags for name, namespace and annotations #94

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions cmd/generate_cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,14 @@ import (
func NewCommandGenerateClusterRole() *cobra.Command {

clusterContext := ""
name := "custom-cluster-reader"
namespace := "myappnamespace"
generateKind := ""
allowedGroups := []string{}
//expandGroups := []string{}
allowedVerb := []string{}
denyResources := []string{}
annotations := map[string]string{}

// Support overrides
cmd := &cobra.Command{
Expand Down Expand Up @@ -61,7 +64,7 @@ rbac-tool gen --generated-type=ClusterRole --deny-resources=secrets., --allowed-
return err
}

obj, err := generateRole(generateKind, computedPolicyRules)
obj, err := generateRole(generateKind, computedPolicyRules, name, namespace, annotations)
if err != nil {
return err
}
Expand All @@ -76,15 +79,18 @@ rbac-tool gen --generated-type=ClusterRole --deny-resources=secrets., --allowed-

flags.StringVarP(&generateKind, "generated-type", "t", "ClusterRole", "Role or ClusterRole")
flags.StringVarP(&clusterContext, "cluster-context", "c", "", "Cluster.use 'kubectl config get-contexts' to list available contexts")
flags.StringVar(&name, "name", "", "Name of Role/ClusterRole")
flags.StringVarP(&namespace, "namespace", "n", "", "Namespace of Role/ClusterRole")
//flags.StringSliceVarP(&expandGroups, "expand-groups", "g", []string{""}, "Comma separated list of API groups we would like to list all resource kinds rather than using wild cards '*'")
flags.StringSliceVar(&allowedGroups, "allowed-groups", []string{"*"}, "Comma separated list of API groups we would like to allow '*'")
flags.StringSliceVar(&allowedVerb, "allowed-verbs", []string{"*"}, "Comma separated list of verbs to include. To include all use '*'")
flags.StringSliceVar(&denyResources, "deny-resources", []string{""}, "Comma separated list of resource.group - for example secret. to deny secret (core group) access")
flags.StringToStringVar(&annotations, "annotations", map[string]string{}, "Custom annotations")

return cmd
}

func generateRole(generateKind string, rules []rbacv1.PolicyRule) (string, error) {
func generateRole(generateKind string, rules []rbacv1.PolicyRule, name string, namespace string, annotations map[string]string) (string, error) {
var obj runtime.Object

if generateKind == "ClusterRole" {
Expand All @@ -94,7 +100,8 @@ func generateRole(generateKind string, rules []rbacv1.PolicyRule) (string, error
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "custom-cluster-role",
Name: name,
Annotations: annotations,
},
Rules: rules,
}
Expand All @@ -105,8 +112,9 @@ func generateRole(generateKind string, rules []rbacv1.PolicyRule) (string, error
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "custom-role",
Namespace: "mynamespace",
Name: name,
Namespace: namespace,
Annotations: annotations,
},
Rules: rules,
}
Expand Down
53 changes: 51 additions & 2 deletions cmd/show_permissions_cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,15 @@ import (
func NewCommandGenerateShowPermissions() *cobra.Command {

clusterContext := ""
name := "custom-role"
namespace := "myappnamespace"
generateKind := "ClusterRole"
forGroups := []string{"*"}
withVerb := []string{"*"}
scope := "cluster"
denyVerb := []string{}
denyResource := []string{}
annotations := map[string]string{}

// Support overrides
cmd := &cobra.Command{
Expand Down Expand Up @@ -84,10 +87,12 @@ rbac-tool show --scope=namespaced --without-verbs=create,update,patch,delete,del
return err
}

mergedPolicyRoles := mergePolicyRules(computedPolicyRules)

if scope == "namespaced" {
generateKind = "Role"
}
obj, err := generateRole(generateKind, computedPolicyRules)
obj, err := generateRole(generateKind, mergedPolicyRoles, name, namespace, annotations)
if err != nil {
return err
}
Expand All @@ -100,12 +105,15 @@ rbac-tool show --scope=namespaced --without-verbs=create,update,patch,delete,del

flags := cmd.Flags()

flags.StringVarP(&clusterContext, "cluster-context", "c", "", "Cluster.use 'kubectl config get-contexts' to list available contexts")
flags.StringVarP(&clusterContext, "cluster-context", "c", "", "Cluster. Use 'kubectl config get-contexts' to list available contexts")
flags.StringVar(&name, "name", "", "Name of Role/ClusterRole")
flags.StringVarP(&namespace, "namespace", "n", "", "Namespace of Role/ClusterRole")
flags.StringVarP(&scope, "scope", "", "all", "Filter by resource scope. Valid values are: 'cluster' | 'namespaced' | 'all' ")
flags.StringSliceVar(&forGroups, "for-groups", []string{"*"}, "Comma separated list of API groups we would like to show the permissions")
flags.StringSliceVar(&withVerb, "with-verbs", []string{"*"}, "Comma separated list of verbs to include. To include all use '*'")
flags.StringSliceVar(&denyVerb, "without-verbs", []string{""}, "Comma separated list of verbs to exclude.")
flags.StringSliceVar(&denyResource, "without-resources", []string{""}, "Comma separated list of resources to exclude. Syntax: <resourceName>.<apiGroup>")
flags.StringToStringVar(&annotations, "annotations", map[string]string{}, "Custom annotations")

return cmd
}
Expand Down Expand Up @@ -197,3 +205,44 @@ func generateRulesWithSubResources(apiresourceList []*metav1.APIResourceList, sc

return computedPolicyRules, errors.NewAggregate(errs)
}

type RuleAggregate struct {
Verbs sets.String
Resources sets.String
}

func mergePolicyRules(rules []rbacv1.PolicyRule) []rbacv1.PolicyRule {

var mergedRules []rbacv1.PolicyRule

groupedRules := make(map[string]*RuleAggregate)

for _, rule := range rules {
apiGroup := rule.APIGroups[0]
if apiGroup == "" {
apiGroup = "v1"
}

if _, exists := groupedRules[apiGroup]; !exists {
groupedRules[apiGroup] = &RuleAggregate{
Resources: sets.NewString(),
Verbs: sets.NewString(),
}
}
groupedRules[apiGroup].Resources.Insert(rule.Resources...)
groupedRules[apiGroup].Verbs.Insert(rule.Verbs...)
}

for apiGroup, aggregates := range groupedRules {
if apiGroup == "v1" {
apiGroup = ""
}
newRule := rbacv1.PolicyRule{
APIGroups: []string{apiGroup},
Resources: aggregates.Resources.List(),
Verbs: aggregates.Verbs.List(),
}
mergedRules = append(mergedRules, newRule)
}
return mergedRules
}
Loading