alcideio
Added functionality to fetch subresources
Added fetching subresources. The filtering mechanism is unchanged since the syntax is:
rbac-tool gen --deny-resources=clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,pods/exec. --allowed-verbs=get,list,watch
@eightseventhreethree - thanks for the PR.
I looked into the change here and while it is minimal - it would change the entire behavior in a way that is likely broader then what one would intend.
subresources such as pods/exec have specific verbs that they support - the way that the code works today is by grouping rules for resources that share verbs.
The introduction of the change with existing code would create policies that are inaccurate - for example pods/exec with list verb - which is not supported/relevant and would create confusion.
Take a look at the output of the new command kubectl rbac-tool show - it should give a better color why supporting subresources requires a slightly different UX and implementation
@eightseventhreethree - thanks for the PR.
I looked into the change here and while it is minimal - it would change the entire behavior in a way that is likely broader then what one would intend.
subresources such as pods/exec have specific verbs that they support - the way that the code works today is by grouping rules for resources that share verbs.
The introduction of the change with existing code would create policies that are inaccurate - for example pods/exec with list verb - which is not supported/relevant and would create confusion.
Take a look at the output of the new command
kubectl rbac-tool show- it should give a better color why supporting subresources requires a slightly different UX and implementation
Understood, however in it's current implementation it's also non functional since without the subresources the RBAC policy doesn't actually allow you access to the resources you have defined.
kubectl rbac-tool show should provide enough functionality to address this