scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-04 04:08:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #44796 from CaoShuFeng/canisubresource

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 45100, 45152, 42513, 44796, 45222)

add subresource support to kube auth can-i

Eg:
    kubectl auth can-i get pods --sub-resource=log

**Release note**:

```release-note
```
This commit is contained in:
Kubernetes Submit Queue
2017-05-02 10:35:12 -07:00
committed by GitHub
parent 0487d38771 de3db1eec3
commit 02a26f43a8
3 changed files with 25 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hack/verify-flags/known-flags.txt
View File

@@ -667,6 +667,7 @@ storage-media-type
storage-version storage-version
storage-versions storage-versions
streaming-connection-idle-timeout streaming-connection-idle-timeout
subresource
suicide-timeout suicide-timeout
sync-frequency sync-frequency
system-cgroups system-cgroups

18
pkg/kubectl/cmd/auth/cani.go
View File

@@ -45,6 +45,7 @@ type CanIOptions struct {
Verb string Verb string
Resource schema.GroupVersionResource Resource schema.GroupVersionResource
Subresource string
ResourceName string ResourceName string
Out io.Writer Out io.Writer
@@ -70,7 +71,10 @@ var (
kubectl auth can-i '*' '*' kubectl auth can-i '*' '*'
# Check to see if I can get the job named "bar" in namespace "foo" # Check to see if I can get the job named "bar" in namespace "foo"
kubectl auth can-i list jobs.batch/bar -n foo`) kubectl auth can-i list jobs.batch/bar -n foo
# check to see if I can read pod logs
kubectl auth can-i get pods --subresource=log`)
) )
func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command { func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command {
@@ -101,6 +105,7 @@ func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command {
cmd.Flags().BoolVar(&o.AllNamespaces, "all-namespaces", o.AllNamespaces, "If true, check the specified action in all namespaces.") cmd.Flags().BoolVar(&o.AllNamespaces, "all-namespaces", o.AllNamespaces, "If true, check the specified action in all namespaces.")
cmd.Flags().BoolVarP(&o.Quiet, "quiet", "q", o.Quiet, "If true, suppress output and just return the exit code.") cmd.Flags().BoolVarP(&o.Quiet, "quiet", "q", o.Quiet, "If true, suppress output and just return the exit code.")
cmd.Flags().StringVar(&o.Subresource, "subresource", "", "SubResource such as pod/log or deployment/scale")
return cmd return cmd
} }
@@ -149,11 +154,12 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
sar := &authorizationapi.SelfSubjectAccessReview{ sar := &authorizationapi.SelfSubjectAccessReview{
Spec: authorizationapi.SelfSubjectAccessReviewSpec{ Spec: authorizationapi.SelfSubjectAccessReviewSpec{
ResourceAttributes: &authorizationapi.ResourceAttributes{ ResourceAttributes: &authorizationapi.ResourceAttributes{
Namespace: o.Namespace, Namespace: o.Namespace,
Verb: o.Verb, Verb: o.Verb,
Group: o.Resource.Group, Group: o.Resource.Group,
Resource: o.Resource.Resource, Resource: o.Resource.Resource,
Name: o.ResourceName, Subresource: o.Subresource,
Name: o.ResourceName,
}, },
}, },
} }

12
pkg/kubectl/cmd/auth/cani_test.go
View File

@@ -92,6 +92,18 @@ func TestRunAccessCheck(t *testing.T) {
`{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`, `{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`,
}, },
}, },
{
name: "sub resource",
o: &CanIOptions{
AllNamespaces: true,
Subresource: "log",
},
args: []string{"get", "pods"},
allowed: true,
expectedBodyStrings: []string{
`{"resourceAttributes":{"verb":"get","resource":"pods","subresource":"log"}}`,
},
},
} }
for _, test := range tests { for _, test := range tests {