Include serviceaccount namespace #30

bergerx · 2019-09-26T11:14:29Z

TL;DR: Service accounts are namespaced, they are not like users and groups which are not namespaced. Currently the SUBJECT field in output works fine for users and groups but not for service accounts. For service accounts it only has "ServiceAccount/" which should be something like "ServiceAccount//".

As an example, in our clusters we have a per-namespace "tiller" serviceaccount and each with different set of bindings. They also have rolebindings in other namespaces.

Here is an example case:
We have a tiller service account in dev, qa and demo namespaces. Qa and demo also has explicit access in a monitoring namespace.

Currently when we run rbac-lookup tiller -o wide it prints out RoleBindings for tiller serviceaccounts in any namespace, and its not possible to distinguish which service account has which role.

Example output (mind duplicate line at the beginning, thats not a copy paste mistake):

$ rbac-lookup tiller -o wide
SUBJECT                  SCOPE                    ROLE                              SOURCE
ServiceAccount/tiller    application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/tiller    application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/tiller    dev                      ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/tiller    dev                      ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator
ServiceAccount/tiller    qa                       ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/tiller    qa                       ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator

Here is what i'd expect to see:

$ rbac-lookup tiller -o wide
SUBJECT                       SCOPE                    ROLE                              SOURCE
ServiceAccount/qa:tiller      application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/demo:tiller    application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/dev:tiller     dev                      ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/dev:tiller     dev                      ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator
ServiceAccount/qa:tiller      qa                       ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/qa:tiller      qa                       ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator
ServiceAccount/demo:tiller    demo                     ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/demo:tiller    demo                     ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator

The text was updated successfully, but these errors were encountered:

sudermanjr · 2019-09-26T17:35:43Z

@bergerx I think this is a great idea. We will definitely put this on our list of TODO. Thanks!

sudermanjr added the enhancement Adding additional functionality or improvements label Sep 26, 2019

lucasreed added the good first issue Good for newcomers label Sep 26, 2019

sudermanjr assigned lucasreed Sep 27, 2019

lucasreed added a commit to lucasreed/rbac-lookup that referenced this issue Sep 28, 2019

adding namespace output for service accounts - fixes FairwindsOps#30

d5736dd

sudermanjr closed this as completed in 35c9001 Oct 2, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Include serviceaccount namespace #30

Include serviceaccount namespace #30

bergerx commented Sep 26, 2019

sudermanjr commented Sep 26, 2019

Include serviceaccount namespace #30

Include serviceaccount namespace #30

Comments

bergerx commented Sep 26, 2019

sudermanjr commented Sep 26, 2019