kor icon indicating copy to clipboard operation
kor copied to clipboard

Published 20 hours ago verified publisher icon yonahd

feature: Discover unused RoleBindings

Open doronkg opened this issue 7 months ago • 1 comments

Is your feature request related to a problem? RoleBindings can be created while referencing non-existing users/groups/ServiceAccounts on one hand or Roles/ClusterRoles on the other hand.

Go through all existing RoleBindings and verify if they are applied to existing subjects and roles. Utilize ShowReason flag to indicate that the reason the RoleBinding was considered unused was because it referenced an unused subject or role.

NOTE: Since a RoleBinding can include multiple subject references, discovering a single non-existing subject (one of several existing ones) might indicate the RoleBinding as unused while it actually is, in that case, it shouldn't be considered as unused.

Examples

In the attached example, we could see a RoleBinding with references to both users: alice & bob.

  1. Assuming both users alice & bob does not exist, the Role is not applied to them, hence the RoleBinding will be considered as UNUSED.
  2. Assuming both users alice & bob exist, but the Role does not exist, it is not applied to them, hence the RoleBinding will be considered as UNUSED.
  3. Assuming user alice does exist and the Role is applied to it, even while bob does not exist - the RoleBinding will be considered as USED.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role 
  name: pod-reader 
  apiGroup: rbac.authorization.k8s.io

Describe the solution you'd like

$ kor rolebindings
Unused RoleBindings:
+---+----------------+----------------------------------------------+-----------------------------+
| # | NAMESPACE      |   RESOURCE NAME    |                         REASON                        |
+---+----------------+----------------------------------------------+-----------------------------+
| 1 | example-ns-1   | example-rb-1       | RoleBinding references a non-existing ServiceAccount  |  
| 2 | example-ns-2   | example-rb-2       | RoleBinding references a non-existing ClusterRole     |
+---+----------------+----------------------------------------------+-----------------------------+

Feature checklist

  • [ ] pkg/kor/rolebindings.go
  • [ ] pkg/kor/rolebindings_test.go
  • [ ] pkg/kor/create_test_resources.go
  • [ ] pkg/kor/all.go
  • [ ] pkg/kor/delete.go
  • [ ] pkg/kor/multi.go
  • [ ] cmd/kor/rolebindings.go
  • [ ] charts/kor/templates/role.yaml
  • [ ] README.md

doronkg avatar Jul 25 '24 16:07 doronkg