This change add nonResourceURL to kubectl auth cani #46432
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/M
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @CaoShuFeng. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
CaoShuFeng
force-pushed
the
can-i-non-resource-url
branch
from
5b5dfba
to
2741590
Compare
pkg/kubectl/cmd/auth/cani.go
Outdated
| errors := []error{} | ||
| return utilerrors.NewAggregate(errors) | ||
| if o.NonResourceURL != "" && o.Subresource != "" { | ||
| return fmt.Errorf("--subresource can not be used with nonResourceURL") |
There was a problem hiding this comment.
neither can resources or resourceNames
pkg/kubectl/cmd/auth/cani.go
Outdated
| Subresource: o.Subresource, | ||
| Name: o.ResourceName, | ||
| var sar *authorizationapi.SelfSubjectAccessReview | ||
| if o.Resource != (schema.GroupVersionResource{}) { |
There was a problem hiding this comment.
Seems like we should check for the presence of a nonresourceurl instead.
|
Minor comments. I like the way it works. @fabianofranz any comment on usage? |
pkg/kubectl/cmd/auth/cani.go
Outdated
| @@ -57,7 +57,7 @@ var ( | |||
| Check whether an action is allowed. | |||
|
|
|||
| VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. | |||
| TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. | |||
| TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. If start with "/", TYPE will be treated as nonResourceURL. | |||
There was a problem hiding this comment.
Need to adjust the command usage to add the new arg type, something like:
kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
pkg/kubectl/cmd/auth/cani.go
Outdated
| # Check to see if I can read pod logs | ||
| kubectl auth can-i get pods --subresource=log | ||
|
|
||
| # Check to see if I can access url /logs/ |
There was a problem hiding this comment.
Check to see if I can access the URL "/logs"
pkg/kubectl/cmd/auth/cani.go
Outdated
| @@ -57,7 +57,7 @@ var ( | |||
| Check whether an action is allowed. | |||
|
|
|||
| VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. | |||
| TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. | |||
| TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. If start with "/", TYPE will be treated as nonResourceURL. | |||
There was a problem hiding this comment.
Here in the description refer to it as a "Non-Resource URL".
CaoShuFeng
force-pushed
the
can-i-non-resource-url
branch
from
2741590
to
3bf3a03
Compare
|
@k8s-bot ok to test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CaoShuFeng, deads2k
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
@CaoShuFeng: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 46432, 46701, 46326, 40848, 46396) |
Release note: