feature: Discover unused ClusterRoleBindings

[doronkg]

Is your feature request related to a problem? ClusterRoleBindings can be created while referencing non-existing users/groups/ServiceAccounts on one hand or ClusterRoles on the other hand.

Go through all existing ClusterRoleBindings and verify if they are applied to existing subjects and ClusterRoles. Utilize ShowReason flag to indicate that the reason the ClusterRoleBinding was considered unused was because it referenced an unused subject or ClusterRole.

NOTE: Since a ClusterRoleBinding can include multiple subject references, discovering a single non-existing subject (one of several existing ones) might indicate the ClusterRoleBinding as unused while it actually is, in that case, it shouldn't be considered as unused.

Examples

In the attached example, we could see a ClusterRoleBinding with references to both users: alice & bob.

1. Assuming both users alice & bob does not exist, the ClusterRole is not applied to them, hence the ClusterRoleBinding will be considered as UNUSED.
2. Assuming both users alice & bob exist, but the ClusterRole does not exist, it is not applied to them, hence the ClusterRoleBinding will be considered as UNUSED.
3. Assuming user alice does exist and the ClusterRole is applied to it, even while bob does not exist - the ClusterRoleBinding will be considered as USED.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-pods-global
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole 
  name: pod-reader 
  apiGroup: rbac.authorization.k8s.io

Describe the solution you'd like

$ kor clusterrolebindings
Unused ClusterRoleBindings:
+---+----------------+----------------------------------------------+-----------------------------+
| # | NAMESPACE |   RESOURCE NAME |                         REASON                                |
+---+----------------+----------------------------------------------+-----------------------------+
| 1 |           | example-crb-1   | ClusterRoleBinding references a non-existing ServiceAccount   |  
| 2 |           | example-crb-2   | ClusterRoleBinding references a non-existing ClusterRole      |
+---+----------------+----------------------------------------------+-----------------------------+

Feature checklist

• [ ] pkg/kor/clusterrolebindings.go
• [ ] pkg/kor/clusterrolebindings_test.go
• [ ] pkg/kor/create_test_resources.go
• [ ] pkg/kor/all.go
• [ ] pkg/kor/delete.go
• [ ] pkg/kor/multi.go
• [ ] pkg/kor/exceptions/clusterrolebindings
• [ ] cmd/kor/clusterrolebindings.go
• [ ] charts/kor/templates/role.yaml
• [ ] README.md

[doronkg]

@nati-elmaliach would you also like to claim this issue following #362? The logic would be pretty similar.

[nati-elmaliach]

@nati-elmaliach would you also like to claim this issue following #362? The logic would be pretty similar.

Sure thing. @yonahd please assign it to me.

[nati-elmaliach]

@doronkg @yonahd

Just a quick clarification:

• A ClusterRoleBinding is not tied to any specific namespace. How would you prefer the output to be displayed?

• This command make no sense kor clsuterrolebindings --include-namespaces. should it throw, show a warning, or ignored ?

[yonahd]

Great questions You can see how it is handled in the persistent volume resource. Let me know if this covers your questions

[yonahd]

@nati-elmaliach do you intend on completing this one?