Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for json output #137

Open
yuvalavra opened this issue Mar 14, 2021 · 2 comments
Open

Add support for json output #137

yuvalavra opened this issue Mar 14, 2021 · 2 comments
Assignees
@corneliusweig
Labels
enhancement New feature or request

Comments

@yuvalavra
Copy link

Awesome tool. It would be nice to have support for json output so users could use the output easily.

 kubectl access-matrix for pods -o json | jq ...
@corneliusweig
Copy link
Owner

Given that kubectl can-i --list does not support json/yaml output this sounds like a reasonable request. I'm not entirely sure what the schema should be though. This seems ok-ish for rakkess for pods:

{
  "resource": "pods",
  "description": "maybe describe what this is",
  "rules": [
    {
      "name": "job-controller",
      "kind": "ServiceAccount",
      "sa-namespace": "kube-system",
      "verbs": {
         "get": true,
         "update": false,
      }
    },
   ]
}

Does that make sense? Or am I missing something?

Similarly for rakkess:

{
  "role": "self",
  "description": "maybe describe what this is",
  "rules": [
    {
      "resource": "pods",
      "verbs": {
         "get": true,
         "update": false,
      }
    },
   ]
}

@yuvalavra
Copy link
Author

Thanks for the quick response!
My use case for this is to take the output from rakkess for $resource, specifically the service accounts, to then search for pods assigned those service accounts. Basically asking which pods in the cluster have permission to do something with$resource. So for my use case the schema you proposed is great.

Other use cases may benefit from a more detailed schema that includes the rolebindings and clusterrolebindinges that grant the searched privileges, so it could be nice to include them if rakkess already has that info.

{
  "resource": "pods",
  "description": "maybe describe what this is",
  "rules": [
    {
      "name": "job-controller",
      "kind": "ServiceAccount",
      "sa-namespace": "kube-system",
      "verbs": {
         "get": true,
         "update": false,
      },
      "rolebindings": [
         {<rolebinding object>}, # or perhaps just the rolebindings names?
      ],
      "clusterrolebindings": [
         {<clusterrolebinding object>}, # or perhaps just the clusterrolebindings names?
      ],
    },
   ]
}

@corneliusweig corneliusweig added the enhancement New feature or request label Apr 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneliusweig corneliusweig

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@corneliusweig @yuvalavra