Merge pull request #30 from mkgrei/fix-non-namespaced

Fixes requiring namespace when namespace variable is not set
Ladicle · Aug 14, 2020 · 29d66b1 · 29d66b1
2 parents 6085fde + 0b1d063
commit 29d66b1
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 8 deletions.
diff --git a/clean.sh b/clean.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -eu
+
+echo; echo "Clean up..."
+kubectl delete sa test-user
+kubectl delete psp test-psp
+kubectl delete role test-role
+kubectl delete rolebinding test
+kubectl delete clusterrolebinding test
+kubectl delete rolebinding test-group
+kubectl delete clusterrolebinding test-group
diff --git a/cmd/cmd.go b/cmd/cmd.go
@@ -108,13 +108,15 @@ func (o *Option) Run() error {
 		Name: o.SubjectName,
 		Kind: o.SubjectKind,
 	}
+	namespaced := false
 	if sub.Kind == subject.KindSA {
 		k8sCfg := o.f.ToRawKubeConfigLoader()
 		ns, _, err := k8sCfg.Namespace()
 		if err != nil {
 			return err
 		}
 		sub.Namespace = ns
+		namespaced = true
 	}
 
 	client, err := o.f.KubernetesClientSet()
@@ -123,9 +125,12 @@ func (o *Option) Run() error {
 	}
 
 	exp := explorer.NewPolicyExplorer(client)
-	nsp, err := exp.NamespacedSbjRoles(sub)
-	if err != nil {
-		return err
+	var nsp []*explorer.SubjectRole
+	if namespaced {
+		nsp, err = exp.NamespacedSbjRoles(sub)
+		if err != nil {
+			return err
+		}
 	}
 	clusterp, err := exp.ClusterSbjRoles(sub)
 	if err != nil {
@@ -151,8 +156,10 @@ func (o *Option) Run() error {
 
 	pp.BlankLine()
 	pp.PrintHeader("Policies")
-	pp.PrintPolicies(nsp)
-	pp.BlankLine()
+	if namespaced {
+		pp.PrintPolicies(nsp)
+		pp.BlankLine()
+	}
 	pp.PrintPolicies(clusterp)
 
 	return nil

diff --git a/test.sh b/test.sh
@@ -1,7 +1,7 @@
 #!/bin/bash -eu
 
 echo; echo "Creating ServiceAccount..."
-kubectl create sa test-user
+kubectl create sa test-user --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Creating PSP..."
 cat <<EOF | kubectl apply -f -
@@ -54,10 +54,23 @@ EOF
 echo; echo "Binding Role..."
 kubectl create rolebinding test \
         --role=test-role \
-        --serviceaccount=default:test-user
+        --serviceaccount=default:test-user --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Binding ClusterRole..."
-kubectl create clusterrolebinding test --clusterrole edit --serviceaccount default:test-user
+kubectl create clusterrolebinding test --clusterrole edit --serviceaccount default:test-user --dry-run=client -o yaml | kubectl apply -f -
+
+echo; echo "Binding Role[Group]..."
+kubectl create rolebinding test-group \
+        --role=test-role \
+        --group developer --dry-run=client -o yaml | kubectl apply -f -
+
+echo; echo "Binding ClusterRole[Group]..."
+kubectl create clusterrolebinding test-group --clusterrole edit --group developer --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Test..."
 ./_output/kubectl-rolesum test-user
+
+echo; echo "Test[Group]..."
+./_output/kubectl-rolesum -k Group developer
+
+./clean.sh