mirror of
https://github.com/replicatedhq/troubleshoot.git
synced 2026-04-15 07:16:34 +00:00
dc1687a76a
* fix: Discover specs from namespaces user is allowed If a user has limited access to read secrets and config maps from certain namespaces in a cluster, we'd need to gracefully fail when forbidden errors are caught. We'll log them and continue searching for specs in other namespaces.
53 lines
1.3 KiB
Go
53 lines
1.3 KiB
Go
package k8sutil
|
|
|
|
import (
|
|
"context"
|
|
|
|
authorizationv1 "k8s.io/api/authorization/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/kubernetes"
|
|
)
|
|
|
|
// CanIListAndGetAllSecretsAndConfigMaps checks if the current user can list and get secrets and configmaps
|
|
// from all namespaces
|
|
func CanIListAndGetAllSecretsAndConfigMaps(ctx context.Context, client kubernetes.Interface) (bool, error) {
|
|
canis := []struct{ ns, verb, resource string }{
|
|
{"", "get", "secrets"},
|
|
{"", "get", "configmaps"},
|
|
{"", "list", "secrets"},
|
|
{"", "list", "configmaps"},
|
|
}
|
|
|
|
for _, cani := range canis {
|
|
ican, err := authCanI(ctx, client, cani.ns, cani.verb, cani.resource)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
if !ican {
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
func authCanI(ctx context.Context, client kubernetes.Interface, ns, verb, resource string) (bool, error) {
|
|
sar := &authorizationv1.SelfSubjectAccessReview{
|
|
Spec: authorizationv1.SelfSubjectAccessReviewSpec{
|
|
ResourceAttributes: &authorizationv1.ResourceAttributes{
|
|
Namespace: ns,
|
|
Verb: verb,
|
|
Resource: resource,
|
|
},
|
|
},
|
|
}
|
|
|
|
resp, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, sar, metav1.CreateOptions{})
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return resp.Status.Allowed, nil
|
|
}
|