Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Discover unused RoleBindings #334

Closed
9 tasks
doronkg opened this issue Jul 25, 2024 · 1 comment · Fixed by #362
Closed
9 tasks

feature: Discover unused RoleBindings #334

doronkg opened this issue Jul 25, 2024 · 1 comment · Fixed by #362
Assignees
@nati-elmaliach
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@doronkg
Copy link
Contributor

doronkg commented Jul 25, 2024

Is your feature request related to a problem?
RoleBindings can be created while referencing non-existing users/groups/ServiceAccounts on one hand or Roles/ClusterRoles on the other hand.

Go through all existing RoleBindings and verify if they are applied to existing subjects and roles.
Utilize ShowReason flag to indicate that the reason the RoleBinding was considered unused was because it referenced an unused subject or role.

NOTE: Since a RoleBinding can include multiple subject references, discovering a single non-existing subject (one of several existing ones) might indicate the RoleBinding as unused while it actually is, in that case, it shouldn't be considered as unused.

Examples

In the attached example, we could see a RoleBinding with references to both users: alice & bob.

  1. Assuming both users alice & bob does not exist, the Role is not applied to them, hence the RoleBinding will be considered as UNUSED.
  2. Assuming both users alice & bob exist, but the Role does not exist, it is not applied to them, hence the RoleBinding will be considered as UNUSED.
  3. Assuming user alice does exist and the Role is applied to it, even while bob does not exist - the RoleBinding will be considered as USED.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role 
  name: pod-reader 
  apiGroup: rbac.authorization.k8s.io

Describe the solution you'd like

$ kor rolebindings
Unused RoleBindings:
+---+----------------+----------------------------------------------+-----------------------------+
| # | NAMESPACE      |   RESOURCE NAME    |                         REASON                        |
+---+----------------+----------------------------------------------+-----------------------------+
| 1 | example-ns-1   | example-rb-1       | RoleBinding references a non-existing ServiceAccount  |  
| 2 | example-ns-2   | example-rb-2       | RoleBinding references a non-existing ClusterRole     |
+---+----------------+----------------------------------------------+-----------------------------+

Feature checklist

  • pkg/kor/rolebindings.go
  • pkg/kor/rolebindings_test.go
  • pkg/kor/create_test_resources.go
  • pkg/kor/all.go
  • pkg/kor/delete.go
  • pkg/kor/multi.go
  • cmd/kor/rolebindings.go
  • charts/kor/templates/role.yaml
  • README.md
@yonahd yonahd added enhancement New feature or request good first issue Good for newcomers labels Jul 25, 2024
@nati-elmaliach
Copy link
Contributor

Hey there, I'll be happy to take this one :)

@nati-elmaliach nati-elmaliach mentioned this issue Sep 30, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nati-elmaliach nati-elmaliach

Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Feat: Discover unused RoleBindings nati-elmaliach/kor
3 participants
@nati-elmaliach @yonahd @doronkg