popeye icon indicating copy to clipboard operation
popeye copied to clipboard
verified publisher icon derailed

Parts of aggregated ClusterRoles are being highlighted as unused

Open jordiprats opened this issue 1 year ago • 0 comments




Describe the bug

ClusterRoles that are being aggregated to a another one, they appear unused in the report (POP-400)

To Reproduce

Using

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: demo-main
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-demo: "true"

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-demo: "true"
  name: demo-part
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list

Will appear unused, although it's being "used" by the ClusterRole that is being aggregated to (demo-main)

Expected behavior

ClusterRoles that are part of another ClusterRole shouldn't be highlighted

Versions (please complete the following information):

  • Popeye 0.21.3

Additional context https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

jordiprats avatar Apr 26 '24 09:04 jordiprats