Moving back to dep for better Kubernetes compatibility, cleaning up K…

…ubernetes auth logic
FairwindsOps · Mar 1, 2019 · aa585a8 · aa585a8
1 parent 846f7de
commit aa585a8
Show file tree

Hide file tree

Showing 8 changed files with 749 additions and 202 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -0,0 +1,12 @@
+[[constraint]]
+  name = "github.com/spf13/cobra"
+  version = "~0.0.3"
+[[constraint]]
+  name = "k8s.io/api"
+  version = "kubernetes-1.13.4"
+[[constraint]]
+  name = "k8s.io/apimachinery"
+  version = "kubernetes-1.13.4"
+[[constraint]]
+  name = "k8s.io/client-go"
+  version = "~10.0.0"
diff --git a/README.md b/README.md
@@ -84,9 +84,6 @@ User/[email protected]      project-wide      IAM/gcp-viewer      IAMRole/viewer
 
 At this point this integration only supports standard IAM roles, and is not advanced enough to include any custom roles. For a full list of supported roles and how they are mapped, view [lookup/gke_roles.go](lookup/gke_roles.go).
 
-### Kubernetes Configuration
-If a `KUBECONFIG` environment variable is specified, rbac-lookup will attempt to use the config at that path, otherwise it will default to `~/.kube/config`.
-
 ## RBAC Manager
 While RBAC Lookup helps provide visibility into Kubernetes auth, RBAC Manager helps make auth simpler to manage. This is a Kubernetes operator that enables more concise RBAC configuration that is easier to scale and automate. For more information, see [RBAC Manager on GitHub](https://github.com/reactiveops/rbac-manager).
 

diff --git a/cmd/root.go b/cmd/root.go
@@ -22,8 +22,10 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var output string
-var gke bool
+var outputFormat string
+var enableGke bool
+var kubeContext string
+var subjectType string
 
 var rootCmd = &cobra.Command{
 	Use:   "rbac-lookup [subject query]",
@@ -35,13 +37,15 @@ var rootCmd = &cobra.Command{
 			fmt.Printf("Error parsing flags: %v", err)
 		}
 
-		lookup.List(args, output, gke)
+		lookup.List(args, kubeContext, outputFormat, subjectType, enableGke)
 	},
 }
 
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&output, "output", "o", "", "output format (normal,wide)")
-	rootCmd.PersistentFlags().BoolVar(&gke, "gke", false, "enable GKE integration")
+	rootCmd.PersistentFlags().StringVarP(&outputFormat, "output", "o", "", "output format (normal,wide)")
+	rootCmd.PersistentFlags().StringVarP(&kubeContext, "context", "", "", "context to use for Kubernetes config")
+	rootCmd.PersistentFlags().StringVarP(&subjectType, "type", "t", "", "filter by this RBAC subject type")
+	rootCmd.PersistentFlags().BoolVar(&enableGke, "gke", false, "enable GKE integration")
 }
 
 // Execute is the primary entrypoint for this CLI

diff --git a/cmd/version.go b/cmd/version.go
@@ -28,6 +28,6 @@ var versionCmd = &cobra.Command{
 	Use:   "version",
 	Short: "Print the version number of rbac-lookup",
 	Run: func(cmd *cobra.Command, args []string) {
-		fmt.Println("rbac-lookup version 0.2.1")
+		fmt.Println("rbac-lookup version 0.3.0")
 	},
 }
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/lookup/list.go b/lookup/list.go
@@ -15,19 +15,16 @@
 package lookup
 
 import (
-	"flag"
 	"fmt"
 	"os"
-	"path/filepath"
 	"strings"
 
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
-	// Required for GKE Auth
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// Required for dex / oidc
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+	// Required for GKE, OIDC, and more
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
 )
 
 type clusterInfo struct {
@@ -37,11 +34,19 @@ type clusterInfo struct {
 }
 
 // List outputs rbac bindings where subject names match given string
-func List(args []string, outputFormat string, enableGke bool) {
-	kubeconfig := getKubeConfig()
-	clientset, err := getClientSet(kubeconfig)
+func List(args []string, kubeContext, outputFormat, subjectType string, enableGke bool) {
+	clientConfig := getClientConfig(kubeContext)
+
+	kubeconfig, err := clientConfig.ClientConfig()
+	if err != nil {
+		fmt.Printf("Error getting Kubernetes config: %v\n", err)
+		os.Exit(1)
+	}
+
+	clientset, err := kubernetes.NewForConfig(kubeconfig)
 	if err != nil {
-		panic(err.Error())
+		fmt.Printf("Error generating Kubernetes clientset from kubeconfig: %v\n", err)
+		os.Exit(2)
 	}
 
 	filter := ""
@@ -56,8 +61,18 @@ func List(args []string, outputFormat string, enableGke bool) {
 	}
 
 	if enableGke {
-		ci := getClusterInfo(kubeconfig)
-		l.gkeProjectName = ci.GkeProjectName
+		rawConfig, err := clientConfig.RawConfig()
+		if err != nil {
+			fmt.Printf("Error getting Kubernetes raw config: %v\n", err)
+			os.Exit(2)
+		}
+
+		ci := getClusterInfo(&rawConfig, kubeContext)
+		if ci.GkeProjectName == "" {
+			fmt.Printf("Error parsing GKE project name from kubeconfig")
+		} else {
+			l.gkeProjectName = ci.GkeProjectName
+		}
 	}
 
 	loadErr := l.loadAll()
@@ -69,35 +84,21 @@ func List(args []string, outputFormat string, enableGke bool) {
 	l.printRbacBindings(outputFormat)
 }
 
-func getKubeConfig() string {
-	var kubeconfig string
-	if os.Getenv("KUBECONFIG") != "" {
-		kubeconfig = os.Getenv("KUBECONFIG")
-	} else if home := homeDir(); home != "" {
-		kubeconfig = filepath.Join(home, ".kube", "config")
-	} else {
-		fmt.Println("Parsing kubeconfig failed, please set KUBECONFIG env var")
-		os.Exit(1)
-	}
-
-	if _, err := os.Stat(kubeconfig); err != nil {
-		// kubeconfig doesn't exist
-		fmt.Printf("%s does not exist - please make sure you have a kubeconfig configured.\n", kubeconfig)
-		panic(err.Error())
-	}
-
-	return kubeconfig
+func getClientConfig(kubeContext string) clientcmd.ClientConfig {
+	return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+		clientcmd.NewDefaultClientConfigLoadingRules(),
+		&clientcmd.ConfigOverrides{CurrentContext: kubeContext},
+	)
 }
 
-func getClusterInfo(kubeconfig string) *clusterInfo {
-	c, err := clientcmd.LoadFromFile(kubeconfig)
-	if err != nil {
-		panic(err.Error())
+func getClusterInfo(c *clientcmdapi.Config, kubeContext string) *clusterInfo {
+	context := c.Contexts[c.CurrentContext]
+	if kubeContext != "" {
+		context = c.Contexts[kubeContext]
 	}
 
-	currentContext := c.Contexts[c.CurrentContext]
-	if currentContext.Cluster != "" {
-		s := strings.Split(currentContext.Cluster, "_")
+	if context.Cluster != "" {
+		s := strings.Split(context.Cluster, "_")
 		if s[0] == "gke" {
 			return &clusterInfo{
 				ClusterName:    s[3],
@@ -106,24 +107,6 @@ func getClusterInfo(kubeconfig string) *clusterInfo {
 			}
 		}
 	}
-	return &clusterInfo{}
-}
 
-func getClientSet(kubeconfig string) (*kubernetes.Clientset, error) {
-	flag.Parse()
-	// use the current context in kubeconfig
-	config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
-	if err != nil {
-		return nil, err
-	}
-
-	// create the clientset
-	return kubernetes.NewForConfig(config)
-}
-
-func homeDir() string {
-	if h := os.Getenv("HOME"); h != "" {
-		return h
-	}
-	return os.Getenv("USERPROFILE") // windows
+	return &clusterInfo{}
 }