Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation does not match plugin capabilities #114

Open
plaffitt opened this issue Jan 13, 2021 · 1 comment
Open

Documentation does not match plugin capabilities #114

plaffitt opened this issue Jan 13, 2021 · 1 comment
Assignees
@corneliusweig
Labels
help wanted Extra attention is needed

Comments

@plaffitt
Copy link

Expected behavior
I would expect the documentation to match the binary capabilities.

Actual behavior
Some flags described in the documentation are not available in the plugin.

Steps To Reproduce

  1. Install the plugin with krew.
  2. Run kubectl access-matrix for pod --sa cloud-controller-manager -n ccmop

It outputs the following:

Error: unknown flag: --sa
Usage:
  access-matrix for <resource> [name] [flags]

Aliases:
  for, resource, r

Examples:

  Review access to deployments in any namespace
   $ kubectl access-matrix for deployments
   or
   $ kubectl access-matrix resource deployments

  Review access to deployments in the default namespace (with shorthands)
   $ kubectl access-matrix for deploy --namespace default

  Review access to deployments with custom verbs
   $ kubectl access-matrix for deploy --verbs get,watch,deletecollection

  Review access to a config-map with a specific name
   $ kubectl access-matrix for cm config-map-name --verbs=all


Flags:
      --as string                      Username to impersonate for the operation
      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --cache-dir string               Default cache directory (default "/home/paul/.kube/cache")
      --certificate-authority string   Path to a cert file for the certificate authority
      --client-certificate string      Path to a client certificate file for TLS
      --client-key string              Path to a client key file for TLS
      --cluster string                 The name of the kubeconfig cluster to use
      --context string                 The name of the kubeconfig context to use
  -h, --help                           help for for
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
      --kubeconfig string              Path to the kubeconfig file to use for CLI requests.
  -n, --namespace string               If present, the namespace scope for this CLI request
  -o, --output string                  output format out of (icon-table, ascii-table) (default "icon-table")
      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
  -s, --server string                  The address and port of the Kubernetes API server
      --tls-server-name string         Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
      --token string                   Bearer token for authentication to the API server
      --user string                    The name of the kubeconfig user to use
      --verbs strings                  show access for verbs out of (create, get, list, watch, update, patch, delete, deletecollection) (default [list,create,update,delete])

Global Flags:
  -v, --verbosity string   Log level (debug, info, warn, error, fatal, panic) (default "warning")

ERRO[0000] unknown flag: --sa

Context:

kubectl access-matrix version --full
rakkess:    v0.4.6
platform:   linux/amd64
git commit: ff2ba4f26b5fadeeef10a71e02d10acce00a94ba
build date: 2020-12-05T21:29:52Z
go version: go1.15.5
compiler:   gc

Additional context
~
@plaffitt plaffitt changed the title Documentation is clearly outdated Documentation does not match plugin capabilities Jan 13, 2021
@corneliusweig
Copy link
Owner

Sorry, I didn't see this issue until now. This is indeed a bit unclear and confusing, but expected behaviour.

Permissions are basically a tuple of (resource, serviceAccount, action), for example (pod, kube-system, list). In other words, this has three dimensions.
The primary command, access-matrix takes a defined serviceAccount (usually your current user), and makes a slice through this space, i.e. (resource, serviceAccout=you, action). The --sa flag changes the layer to a different one, for example with --sa=other it will produce the slice (resource, serviceAccount=other, action). This slice is then shown as a matrix.

On the other hand, the access-matrix for <resource> command fixes the resource in the space and produces a slice like (resource=pod, serviceAccount, action). So specifying the flag --sa does not make sense, otherwise the matrix would become a line along the action dimension: (resource=pod, serviceAccount=other, action).

If you have an idea how to express this better in the documentation, I'm happy to review your suggestion!

@corneliusweig corneliusweig added the help wanted Extra attention is needed label Apr 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneliusweig corneliusweig

Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@corneliusweig @plaffitt