kubectl icon indicating copy to clipboard operation
kubectl copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

auth/can-i: check subresource if it exists and belongs to resource

Open Dentrax opened this issue 2 years ago • 9 comments

What happened:

The following command returns no:

$ kubectl auth can-i create pods --subresource=exec

Now try with random or non-existed subresource like foobarbaz:

$ kubectl auth can-i create pods --subresource=foobarbaz

Now it returns true. And same for:

$ kubectl auth can-i create pods/foobarbaz

What you expected to happen:

$ kubectl auth can-i create pods --subresource=thisisnotexist

It should return something like: Subresource "thisisnotexist" does not belong to "pods"

How to reproduce it (as minimally and precisely as possible):

Just try the commands in your cluster.

Anything else we need to know?:

Environment:

  • Kubernetes client and server versions (use kubectl version): Client: v1.24.0, Server: v1.20
  • Cloud provider or hardware configuration: on-prem
  • OS (e.g: cat /etc/os-release): Ubuntu 20.04

Dentrax avatar May 23 '22 12:05 Dentrax

/assign @atiratree

atiratree avatar May 25 '22 17:05 atiratree

/triage accepted

mpuckett159 avatar Jun 22 '22 21:06 mpuckett159

I think it should be enough to ouput a warning instead of an error: I started a PR that fixes that: https://github.com/kubernetes/kubernetes/pull/110752

nit:

kubectl auth can-i create pods/foobarbaz

this is checking a pod named foobarbaz and not a subresource

atiratree avatar Jun 23 '22 21:06 atiratree

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 21 '22 22:09 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Oct 21 '22 22:10 k8s-triage-robot

/remove-lifecycle rotten

Dentrax avatar Oct 22 '22 21:10 Dentrax

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 20 '23 22:01 k8s-triage-robot

/remove-lifecycle stale

vaibhav2107 avatar Aug 04 '23 15:08 vaibhav2107