kubernetes
`auth can-i` could support GroupVersionResources with * for resource within a specific group
What would you like to be added:
Support for kubectl auth can-i verb *.group queries.
Why is this needed:
Currently it's not possible to make such queries because the code only checks if the whole argument is *.
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#resourceattributes-v1-authorization-k8s-io
Please see this documentation for the API. The endpoint on the API server itself (which is what kubectl is querying) appears to only support explicitly the * character for a return of all resources, and so we would need to work with the SIG-Auth to attempt to update how that API works.
cc @enj for thoughts on this.
The group parameter is independent from resource and also accepts a *?
Running kubectl auth can-i verb *.apps causes the following API call:
{
"kind": "SelfSubjectAccessReview",
"apiVersion": "authorization.k8s.io/v1",
"spec": {
"resourceAttributes": {
"namespace": "default",
"verb": "verb",
"resource": "*.apps" # not the best parsing
}
}
}
The user likely wants the following API call instead:
{
"kind": "SelfSubjectAccessReview",
"apiVersion": "authorization.k8s.io/v1",
"spec": {
"resourceAttributes": {
"namespace": "default",
"verb": "verb",
"resource": "*", # this seems like the
"group": "apps" # more correct parsing
}
}
}
It should be fine to add more nuanced special case logic around *.foo being treated as resource=* and group=foo. We should be careful not to break any existing flows, of course.
Ah that makes sense. Thanks Mo!
I think we'd accept a PR that expands on this parsing (or maybe allows for a --group flag?).
/triage accepted
