kor icon indicating copy to clipboard operation
kor copied to clipboard

Published 20 hours ago verified publisher icon yonahd

feature: Discover unused ClusterRoleBindings

Open doronkg opened this issue 7 months ago • 0 comments

Is your feature request related to a problem? ClusterRoleBindings can be created while referencing non-existing users/groups/ServiceAccounts on one hand or ClusterRoles on the other hand.

Go through all existing ClusterRoleBindings and verify if they are applied to existing subjects and ClusterRoles. Utilize ShowReason flag to indicate that the reason the ClusterRoleBinding was considered unused was because it referenced an unused subject or ClusterRole.

NOTE: Since a ClusterRoleBinding can include multiple subject references, discovering a single non-existing subject (one of several existing ones) might indicate the ClusterRoleBinding as unused while it actually is, in that case, it shouldn't be considered as unused.

Examples

In the attached example, we could see a ClusterRoleBinding with references to both users: alice & bob.

  1. Assuming both users alice & bob does not exist, the ClusterRole is not applied to them, hence the ClusterRoleBinding will be considered as UNUSED.
  2. Assuming both users alice & bob exist, but the ClusterRole does not exist, it is not applied to them, hence the ClusterRoleBinding will be considered as UNUSED.
  3. Assuming user alice does exist and the ClusterRole is applied to it, even while bob does not exist - the ClusterRoleBinding will be considered as USED.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-pods-global
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole 
  name: pod-reader 
  apiGroup: rbac.authorization.k8s.io

Describe the solution you'd like

$ kor clusterrolebindings
Unused ClusterRoleBindings:
+---+----------------+----------------------------------------------+-----------------------------+
| # | NAMESPACE |   RESOURCE NAME |                         REASON                                |
+---+----------------+----------------------------------------------+-----------------------------+
| 1 |           | example-crb-1   | ClusterRoleBinding references a non-existing ServiceAccount   |  
| 2 |           | example-crb-2   | ClusterRoleBinding references a non-existing ClusterRole      |
+---+----------------+----------------------------------------------+-----------------------------+

Feature checklist

  • [ ] pkg/kor/clusterrolebindings.go
  • [ ] pkg/kor/clusterrolebindings_test.go
  • [ ] pkg/kor/create_test_resources.go
  • [ ] pkg/kor/all.go
  • [ ] pkg/kor/delete.go
  • [ ] pkg/kor/multi.go
  • [ ] cmd/kor/clusterrolebindings.go
  • [ ] charts/kor/templates/role.yaml
  • [ ] README.md

doronkg avatar Jul 25 '24 16:07 doronkg