kubeauth

module
v0.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2020 License: MPL-2.0

README

kubeauth GoDoc Go Report Card Build Status

kubeauth is a program to assist usage of kubectl for user/group related operations. It currently provides two commands:

  1. add-user creates a service account based user, adds the credentials to the selected kubeconfig, and optionally creates bindings to existing roles or cluster roles.
  2. ctl wraps kubectl invocation and validates flags such as --as and --as-group.

add-user

Examples

Create the kubeconfig user "tester" based on service account "default" in the "dev" namespace. Also bind it to a role and cluster role. The --role and --cluster-role flags may be supplied multiple times.

kubeauth add-user -v=1 \
  --user tester \
  --account default \
  --namespace dev \
  --role role_name_0:binding_name_0 \
  --cluster-role role_name_1:binding_name_1
Validation checks
  • --role: role exists in effective namespace
  • --cluster-role: cluster role exists

ctl

  • Invocation format: ctl [kubectl sub-command] [kubeauth flags] -- [kubectl sub-command flags]
  • ctl flags which are also accepted by kubectl will be passed to the latter.
Examples

Verify that "tester" exists and run "kubectl auth can-i -v=1 --as tester --list".

kubeauth ctl auth can-i -v=1 \
  --as tester \
  -- --list

Verify that "system:serviceaccount:dev:default" exists and run "kubectl auth can-i -v=1 --as system:serviceaccount:dev:default --list".

kubeauth ctl auth can-i -v=1 \
  --as system:serviceaccount:dev:default \
  -- --list
Validation checks
  • effective context exists
  • effective namespace exists
  • --as selection exists
  • --as-group selection exists
  • agreement between --cluster and effective context's cluster

Development

License

Mozilla Public License Version 2.0 (About, FAQ)

Contributing

  • Please feel free to submit issues, PRs, questions, and feedback.
  • Although this repository consists of snapshots extracted from a private monorepo using transplant, PRs are welcome. Standard GitHub workflows are still used.

Testing

ctl

FAQ

  • ctl
    • Q: When verbose output is enabled with -v=1 and I use --as/--as-group flags, why do I not always see in namespace X in the messages describing where the user/group was found?
      • A: It may be that the --as/--as-group identity was found in a role or cluster-role binding where the Subject object contained an empty Namespace field. At the time this was written, the empty value is expected for User and Group subjects because those object kinds are considered "non-namespace".

Directories

Path Synopsis
cmd
kubeauth
Command kubeauth assists with authentication-related maintenance tasks.
 Command kubeauth assists with authentication-related maintenance tasks.
kubeauth/add_user
kubeauth/ctl
internal
cage/cli/handler
cage/cli/handler/cobra
cage/cli/handler/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/cmd/testecho
Package testecho assists execution of the CLI from test cases and assertion of its result.
 Package testecho assists execution of the CLI from test cases and assertion of its result.
cage/config/viper
cage/env/golang
cage/io
cage/kubernetes/v1
cage/kubernetes/v1/core
cage/kubernetes/v1/core/mock
cage/kubernetes/v1/kubectl/config
cage/kubernetes/v1/kubectl/config/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/namespace
cage/kubernetes/v1/namespace/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/rbac
cage/kubernetes/v1/rbac/cluster_role
cage/kubernetes/v1/rbac/cluster_role/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/rbac/cluster_role_binding
cage/kubernetes/v1/rbac/cluster_role_binding/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/rbac/identity
cage/kubernetes/v1/rbac/identity/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/rbac/role
cage/kubernetes/v1/rbac/role/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/rbac/role_binding
cage/kubernetes/v1/rbac/role_binding/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/secret
cage/kubernetes/v1/secret/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/service_account
cage/kubernetes/v1/service_account/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/kubernetes/v1/testkit
cage/os
cage/os/exec
cage/os/exec/mock
Package mock is a generated GoMock package.
 Package mock is a generated GoMock package.
cage/os/file
cage/os/file/matcher
cage/path/filepath
cage/reflect
cage/runtime/debug
cage/strings
cage/testkit
cage/testkit/gomock
cage/testkit/os/file
cage/testkit/path/filepath
cage/testkit/testify/require
ldflags
testkit
Package testkit provides constants, functions, and types which provide common necessities for the tests in multple sub-commands.
 Package testkit provides constants, functions, and types which provide common necessities for the tests in multple sub-commands.
third_party/gist.github.com/bytes
third_party/github.com/config/viper
third_party/github.com/os/exec
third_party/github.com/os/file
third_party/github.com/strings
third_party/stackexchange/os
third_party/stackexchange/os/file

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.