Comments (10)
Hey @switchboardOp, thanks for investigating this! I still mean to take this up early in October, but until then I'm pretty tied up atm. If anybody wants to take this over, help is highly appreciated!
from rakkess.
Sorry, I just tried and I can't reproduce this. I applied the resources and ran k access-matrix --sa example-go-info -n default
, which yields
NAME LIST CREATE UPDATE DELETE
bindings ✖
configmaps ✖ ✖ ✖ ✖
...
pods ✔ ✖ ✖ ✖
...
statefulsets.apps ✖ ✖ ✖ ✖
Can you make sure that the resources are correctly created? For example, look at the output of
kubectl krew install get-all
kubectl get-all --since 10m # or whatever the duration since applying the resources
This shows for me:
NAME NAMESPACE AGE
secret/example-go-info-token-xzc2f default 6m46s
serviceaccount/example-go-info default 6m46s
rolebinding.rbac.authorization.k8s.io/example-go-info-pod-read default 6m46s
role.rbac.authorization.k8s.io/pod-read default 6m46s
from rakkess.
Can you provide more information about your environment? For example:
kubectl version
kubectl access-matrix # to check if your rights are sufficient
And maybe you are using k3s? (It also works with k3s for me, though...)
from rakkess.
Its a rancher kubernetes engine (RKE) created by rancher 2.2.8. You can launch my environment with vagrant as described at https://github.com/rgl/rancher-single-node-ubuntu-vagrant.
Bellow is the requested information, please let me known if you need anything else.
kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:54Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T11:05:50Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
kubectl access-matrix
NAME LIST CREATE UPDATE DELETE
alertmanagers.monitoring.coreos.com ✔ ✔ ✔ ✔
apiservices.apiregistration.k8s.io ✔ ✔ ✔ ✔
bgpconfigurations.crd.projectcalico.org ✔ ✔ ✔ ✔
bindings ✔
certificatesigningrequests.certificates.k8s.io ✔ ✔ ✔ ✔
clusterauthtokens.cluster.cattle.io ✔ ✔ ✔ ✔
clusterinformations.crd.projectcalico.org ✔ ✔ ✔ ✔
clusterrolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusterroles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusteruserattributes.cluster.cattle.io ✔ ✔ ✔ ✔
componentstatuses ✔
configmaps ✔ ✔ ✔ ✔
controllerrevisions.apps ✔ ✔ ✔ ✔
cronjobs.batch ✔ ✔ ✔ ✔
csidrivers.storage.k8s.io ✔ ✔ ✔ ✔
csinodes.storage.k8s.io ✔ ✔ ✔ ✔
customresourcedefinitions.apiextensions.k8s.io ✔ ✔ ✔ ✔
daemonsets.apps ✔ ✔ ✔ ✔
daemonsets.extensions ✔ ✔ ✔ ✔
deployments.apps ✔ ✔ ✔ ✔
deployments.extensions ✔ ✔ ✔ ✔
endpoints ✔ ✔ ✔ ✔
events ✔ ✔ ✔ ✔
events.events.k8s.io ✔ ✔ ✔ ✔
felixconfigurations.crd.projectcalico.org ✔ ✔ ✔ ✔
globalnetworkpolicies.crd.projectcalico.org ✔ ✔ ✔ ✔
globalnetworksets.crd.projectcalico.org ✔ ✔ ✔ ✔
horizontalpodautoscalers.autoscaling ✔ ✔ ✔ ✔
hostendpoints.crd.projectcalico.org ✔ ✔ ✔ ✔
ingresses.extensions ✔ ✔ ✔ ✔
ingresses.networking.k8s.io ✔ ✔ ✔ ✔
ippools.crd.projectcalico.org ✔ ✔ ✔ ✔
jobs.batch ✔ ✔ ✔ ✔
leases.coordination.k8s.io ✔ ✔ ✔ ✔
limitranges ✔ ✔ ✔ ✔
localsubjectaccessreviews.authorization.k8s.io ✔
mutatingwebhookconfigurations.admissionregistration.k8s.io ✔ ✔ ✔ ✔
namespaces ✔ ✔ ✔ ✔
networkpolicies.crd.projectcalico.org ✔ ✔ ✔ ✔
networkpolicies.extensions ✔ ✔ ✔ ✔
networkpolicies.networking.k8s.io ✔ ✔ ✔ ✔
nodes ✔ ✔ ✔ ✔
nodes.metrics.k8s.io ✔
persistentvolumeclaims ✔ ✔ ✔ ✔
persistentvolumes ✔ ✔ ✔ ✔
poddisruptionbudgets.policy ✔ ✔ ✔ ✔
pods ✔ ✔ ✔ ✔
pods.metrics.k8s.io ✔
podsecuritypolicies.extensions ✔ ✔ ✔ ✔
podsecuritypolicies.policy ✔ ✔ ✔ ✔
podtemplates ✔ ✔ ✔ ✔
priorityclasses.scheduling.k8s.io ✔ ✔ ✔ ✔
prometheuses.monitoring.coreos.com ✔ ✔ ✔ ✔
prometheusrules.monitoring.coreos.com ✔ ✔ ✔ ✔
replicasets.apps ✔ ✔ ✔ ✔
replicasets.extensions ✔ ✔ ✔ ✔
replicationcontrollers ✔ ✔ ✔ ✔
resourcequotas ✔ ✔ ✔ ✔
rolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
roles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
runtimeclasses.node.k8s.io ✔ ✔ ✔ ✔
secrets ✔ ✔ ✔ ✔
selfsubjectaccessreviews.authorization.k8s.io ✔
selfsubjectrulesreviews.authorization.k8s.io ✔
serviceaccounts ✔ ✔ ✔ ✔
servicemonitors.monitoring.coreos.com ✔ ✔ ✔ ✔
services ✔ ✔ ✔ ✔
statefulsets.apps ✔ ✔ ✔ ✔
storageclasses.storage.k8s.io ✔ ✔ ✔ ✔
subjectaccessreviews.authorization.k8s.io ✔
tokenreviews.authentication.k8s.io ✔
validatingwebhookconfigurations.admissionregistration.k8s.io ✔ ✔ ✔ ✔
volumeattachments.storage.k8s.io ✔ ✔ ✔ ✔
No namespace given, this implies cluster scope (try -n if this is not intended)
kubectl get-all --since 10m
To deploy the full example I do:
vagrant ssh server
sudo su -l
cd /vagrant/examples/go-info
./deploy.sh
kubectl get-all --since 10m
And this is the output:
# ./deploy.sh
++ dirname ./deploy.sh
+ cd .
+ kubectl apply -f deployment.yml
serviceaccount/example-go-info created
role.rbac.authorization.k8s.io/pod-read created
rolebinding.rbac.authorization.k8s.io/example-go-info-pod-read created
ingress.networking.k8s.io/example-go-info created
service/example-go-info created
secret/example-go-info-secrets created
configmap/example-go-info-configs created
daemonset.apps/example-go-info created
# kubectl get-all --since 10m
NAME NAMESPACE AGE
configmap/example-go-info-configs default 3m10s
endpoints/example-go-info default 3m10s
pod/example-go-info-9f75w default 2m24s
secret/example-go-info-secrets default 3m10s
secret/example-go-info-token-5pjvl default 3m10s
serviceaccount/example-go-info default 3m10s
service/example-go-info default 3m10s
controllerrevision.apps/example-go-info-544fd5b4b4 default 2m31s
controllerrevision.apps/example-go-info-56fbdf8bfb default 3m10s
daemonset.apps/example-go-info default 3m10s
daemonset.extensions/example-go-info default 3m10s
ingress.extensions/example-go-info default 3m10s
nodemetrics.metrics.k8s.io/server 1s
podmetrics.metrics.k8s.io/cattle-node-agent-cf4vh cattle-system 1s
podmetrics.metrics.k8s.io/cattle-cluster-agent-598bd84b98-z9dfl cattle-system 1s
podmetrics.metrics.k8s.io/nginx-ingress-controller-4q77t ingress-nginx 1s
podmetrics.metrics.k8s.io/nfs-client-provisioner-94d696d6b-5sxsf nfs-client-provisioner 1s
podmetrics.metrics.k8s.io/kube-api-auth-6z6sj cattle-system 1s
podmetrics.metrics.k8s.io/coredns-5678df9bcc-rnx54 kube-system 1s
podmetrics.metrics.k8s.io/canal-96knn kube-system 1s
podmetrics.metrics.k8s.io/default-http-backend-97bf46cd4-dpq6p ingress-nginx 1s
podmetrics.metrics.k8s.io/external-dns-dd699c9f6-jqnls default 1s
podmetrics.metrics.k8s.io/metrics-server-784769f887-xzbhk kube-system 1s
podmetrics.metrics.k8s.io/coredns-autoscaler-57bc9c9bd-cztf8 kube-system 1s
podmetrics.metrics.k8s.io/example-go-info-9f75w default 1s
ingress.networking.k8s.io/example-go-info default 3m10s
rolebinding.rbac.authorization.k8s.io/example-go-info-pod-read default 3m10s
role.rbac.authorization.k8s.io/pod-read default 3m10s
# kubectl access-matrix --sa example-go-info -n default # this really returns an empty list
NAME LIST CREATE UPDATE DELETE
kubectl get -o yaml serviceaccount/example-go-info
apiVersion: v1
imagePullSecrets:
- name: pandora-rancher-test-5000
kind: ServiceAccount
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","imagePullSecrets":[{"name":"pandora-rancher-test-5000"}],"kind":"ServiceAccount","metadata":{"annotations":{},"name":"example-go-info","namespace":"default"}}
creationTimestamp: "2019-09-08T10:53:21Z"
name: example-go-info
namespace: default
resourceVersion: "8042"
selfLink: /api/v1/namespaces/default/serviceaccounts/example-go-info
uid: b187bd97-82e6-4565-ab66-c17fa2af73c8
secrets:
- name: example-go-info-token-5pjvl
kubectl get -o yaml rolebinding.rbac.authorization.k8s.io/example-go-info-pod-read
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"example-go-info-pod-read","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"pod-read"},"subjects":[{"kind":"ServiceAccount","name":"example-go-info"}]}
creationTimestamp: "2019-09-08T10:53:21Z"
name: example-go-info-pod-read
namespace: default
resourceVersion: "8044"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/example-go-info-pod-read
uid: 7d423dc3-2459-4d68-ab95-fc8a6e27c3d2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-read
subjects:
- kind: ServiceAccount
name: example-go-info
kubectl get -o yaml role.rbac.authorization.k8s.io/pod-read
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"Role","metadata":{"annotations":{},"name":"pod-read","namespace":"default"},"rules":[{"apiGroups":[""],"resources":["pods"],"verbs":["get","list"]}]}
creationTimestamp: "2019-09-08T10:53:21Z"
name: pod-read
namespace: default
resourceVersion: "8043"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/roles/pod-read
uid: 8a6969ed-d0a4-458d-a5a0-ac88a224dc12
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
from rakkess.
Hey, thanks for this detailed report. I just want to let you know that I will look into this, but it will take some time.
In the meantime, you can also work with kubectl auth can-i --list
.
If you still have your setup running, can you also show the output when running with -v debug
?
from rakkess.
Here's the requested information.
kubectl auth can-i --list
Resources Non-Resource URLs Resource Names Verbs
*.* [] [] [* *]
persistentvolumeclaims.* [] [] [*]
[*] [] [*]
[*] [] [*]
namespaces [] [cattle-system] [*]
namespaces [] [default] [*]
namespaces [] [ingress-nginx] [*]
namespaces [] [jenkins] [*]
namespaces [] [kube-node-lease] [*]
namespaces [] [kube-public] [*]
namespaces [] [kube-system] [*]
namespaces [] [metallb-system] [*]
namespaces [] [nfs-client-provisioner] [*]
namespaces [] [redis] [*]
catalogtemplates.management.cattle.io [] [] [*]
catalogtemplateversions.management.cattle.io [] [] [*]
projectalertgroups.management.cattle.io [] [] [*]
projectalertrules.management.cattle.io [] [] [*]
projectcatalogs.management.cattle.io [] [] [*]
projectloggings.management.cattle.io [] [] [*]
projectmonitorgraphs.management.cattle.io [] [] [*]
projectroletemplatebindings.management.cattle.io [] [] [*]
pods.metrics.k8s.io [] [] [*]
prometheuses.monitoring.coreos.com [] [] [*]
prometheusrules.monitoring.coreos.com [] [] [*]
servicemonitors.monitoring.coreos.com [] [] [*]
apps.project.cattle.io [] [] [*]
pipelineexecutions.project.cattle.io [] [] [*]
pipelines.project.cattle.io [] [] [*]
pipelinesettings.project.cattle.io [] [] [*]
sourcecodeproviderconfigs.project.cattle.io [] [] [*]
rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
configmaps [] [] [create delete deletecollection patch update get list watch]
endpoints [] [] [create delete deletecollection patch update get list watch]
persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch]
pods [] [] [create delete deletecollection patch update get list watch]
replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch]
replicationcontrollers [] [] [create delete deletecollection patch update get list watch]
services [] [] [create delete deletecollection patch update get list watch]
daemonsets.apps [] [] [create delete deletecollection patch update get list watch]
deployments.apps/scale [] [] [create delete deletecollection patch update get list watch]
deployments.apps [] [] [create delete deletecollection patch update get list watch]
replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch]
replicasets.apps [] [] [create delete deletecollection patch update get list watch]
statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch]
statefulsets.apps [] [] [create delete deletecollection patch update get list watch]
horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch]
cronjobs.batch [] [] [create delete deletecollection patch update get list watch]
jobs.batch [] [] [create delete deletecollection patch update get list watch]
daemonsets.extensions [] [] [create delete deletecollection patch update get list watch]
deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch]
deployments.extensions [] [] [create delete deletecollection patch update get list watch]
ingresses.extensions [] [] [create delete deletecollection patch update get list watch]
networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch]
replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch]
replicasets.extensions [] [] [create delete deletecollection patch update get list watch]
replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch]
ingresses.networking.k8s.io [] [] [create delete deletecollection patch update get list watch]
networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch]
poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch]
deployments.apps/rollback [] [] [create delete deletecollection patch update]
deployments.extensions/rollback [] [] [create delete deletecollection patch update]
namespaces [] [] [create get list watch create]
localsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods/attach [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods/portforward [] [] [get list watch create delete deletecollection patch update]
pods/proxy [] [] [get list watch create delete deletecollection patch update]
secrets [] [] [get list watch create delete deletecollection patch update]
services/proxy [] [] [get list watch create delete deletecollection patch update]
persistentvolumes.* [] [] [get list watch get list watch get list watch]
storageclasses.* [] [] [get list watch get list watch get list watch]
bindings [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
clustercatalogs.management.cattle.io [] [] [get list watch]
clusterevents.management.cattle.io [] [] [get list watch]
notifiers.management.cattle.io [] [] [get list watch]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
prometheus.monitoring.cattle.io [] [] [view]
kubectl access-matrix -v debug --sa example-go-info -n default
DEBU[0000] Set log-level to debug
DEBU[0000] []
NAME LIST CREATE UPDATE DELETE
kubectl access-matrix -v debug
DEBU[0000] Set log-level to debug
DEBU[0000] [{ {componentstatuses false ComponentStatus [get list] [cs] [] }} { {limitranges true LimitRange [create delete deletecollection get list patch update watch] [limits] [] EBKMFVe6cwo=}} { {services true Service [create delete get list patch update watch] [svc] [all] 0/CO1lhkEBI=}} { {bindings true Binding [create] [] [] }} { {persistentvolumeclaims true PersistentVolumeClaim [create delete deletecollection get list patch update watch] [pvc] [] QWTyNDq0dC4=}} { {podtemplates true PodTemplate [create delete deletecollection get list patch update watch] [] [] LIXB2x4IFpk=}} { {nodes false Node [create delete deletecollection get list patch update watch] [no] [] XwShjMxG9Fs=}} { {secrets true Secret [create delete deletecollection get list patch update watch] [] [] S6u1pOWzb84=}} { {namespaces false Namespace [create delete get list patch update watch] [ns] [] Q3oi5N2YM8M=}} { {resourcequotas true ResourceQuota [create delete deletecollection get list patch update watch] [quota] [] 8uhSgffRX6w=}} { {persistentvolumes false PersistentVolume [create delete deletecollection get list patch update watch] [pv] [] HN/zwEC+JgM=}} { {endpoints true Endpoints [create delete deletecollection get list patch update watch] [ep] [] fWeeMqaN/OA=}} { {replicationcontrollers true ReplicationController [create delete deletecollection get list patch update watch] [rc] [all] Jond2If31h0=}} { {pods true Pod [create delete deletecollection get list patch update watch] [po] [all] xPOwRZ+Yhw8=}} { {serviceaccounts true ServiceAccount [create delete deletecollection get list patch update watch] [sa] [] pbx9ZvyFpBE=}} { {configmaps true ConfigMap [create delete deletecollection get list patch update watch] [cm] [] qFsyl6wFWjQ=}} { {events true Event [create delete deletecollection get list patch update watch] [ev] [] r2yiGXH7wu8=}} {apiregistration.k8s.io {apiservices false APIService [create delete deletecollection get list patch update watch] [] [] C+s2HXXP47k=}} {extensions {podsecuritypolicies false PodSecurityPolicy [create delete deletecollection get list patch update watch] [psp] [] khBLobUXkqA=}} {extensions {replicasets true ReplicaSet [create delete deletecollection get list patch update watch] [rs] [] P1RzHs8/mWQ=}} {extensions {deployments true Deployment [create delete deletecollection get list patch update watch] [deploy] [] 8aSe+NMegvE=}} {extensions {networkpolicies true NetworkPolicy [create delete deletecollection get list patch update watch] [netpol] [] YpfwF18m1G8=}} {extensions {ingresses true Ingress [create delete deletecollection get list patch update watch] [ing] [] ZOAfGflaKd0=}} {extensions {daemonsets true DaemonSet [create delete deletecollection get list patch update watch] [ds] [] dd7pWHUlMKQ=}} {apps {deployments true Deployment [create delete deletecollection get list patch update watch] [deploy] [all] 8aSe+NMegvE=}} {apps {replicasets true ReplicaSet [create delete deletecollection get list patch update watch] [rs] [all] P1RzHs8/mWQ=}} {apps {daemonsets true DaemonSet [create delete deletecollection get list patch update watch] [ds] [all] dd7pWHUlMKQ=}} {apps {controllerrevisions true ControllerRevision [create delete deletecollection get list patch update watch] [] [] 85nkx63pcBU=}} {apps {statefulsets true StatefulSet [create delete deletecollection get list patch update watch] [sts] [all] H+vl74LkKdo=}} {events.k8s.io {events true Event [create delete deletecollection get list patch update watch] [ev] [] r2yiGXH7wu8=}} {authentication.k8s.io {tokenreviews false TokenReview [create] [] [] }} {authorization.k8s.io {selfsubjectaccessreviews false SelfSubjectAccessReview [create] [] [] }} {authorization.k8s.io {localsubjectaccessreviews true LocalSubjectAccessReview [create] [] [] }} {authorization.k8s.io {subjectaccessreviews false SubjectAccessReview [create] [] [] }} {authorization.k8s.io {selfsubjectrulesreviews false SelfSubjectRulesReview [create] [] [] }} {autoscaling {horizontalpodautoscalers true HorizontalPodAutoscaler [create delete deletecollection get list patch update watch] [hpa] [all] oQlkt7f5j/A=}} {batch {jobs true Job [create delete deletecollection get list patch update watch] [] [all] mudhfqk/qZY=}} {batch {cronjobs true CronJob [create delete deletecollection get list patch update watch] [cj] [all] h/JlFAZkyyY=}} {certificates.k8s.io {certificatesigningrequests false CertificateSigningRequest [create delete deletecollection get list patch update watch] [csr] [] UQh3YTCDIf0=}} {networking.k8s.io {networkpolicies true NetworkPolicy [create delete deletecollection get list patch update watch] [netpol] [] YpfwF18m1G8=}} {networking.k8s.io {ingresses true Ingress [create delete deletecollection get list patch update watch] [ing] [] ZOAfGflaKd0=}} {policy {poddisruptionbudgets true PodDisruptionBudget [create delete deletecollection get list patch update watch] [pdb] [] 6BGBu0kpHtk=}} {policy {podsecuritypolicies false PodSecurityPolicy [create delete deletecollection get list patch update watch] [psp] [] khBLobUXkqA=}} {rbac.authorization.k8s.io {clusterrolebindings false ClusterRoleBinding [create delete deletecollection get list patch update watch] [] [] 48tpQ8gZHFc=}} {rbac.authorization.k8s.io {roles true Role [create delete deletecollection get list patch update watch] [] [] 7FuwZcIIItM=}} {rbac.authorization.k8s.io {rolebindings true RoleBinding [create delete deletecollection get list patch update watch] [] [] eGsCzGH6b1g=}} {rbac.authorization.k8s.io {clusterroles false ClusterRole [create delete deletecollection get list patch update watch] [] [] bYE5ZWDrJ44=}} {storage.k8s.io {storageclasses false StorageClass [create delete deletecollection get list patch update watch] [sc] [] K+m6uJwbjGY=}} {storage.k8s.io {volumeattachments false VolumeAttachment [create delete deletecollection get list patch update watch] [] [] tJx/ezt6UDU=}} {storage.k8s.io {csinodes false CSINode [create delete deletecollection get list patch update watch] [] [] fnCuCdDgSvE=}} {storage.k8s.io {csidrivers false CSIDriver [create delete deletecollection get list patch update watch] [] [] Z7aeXSiaYTw=}} {admissionregistration.k8s.io {validatingwebhookconfigurations false ValidatingWebhookConfiguration [create delete deletecollection get list patch update watch] [] [] P9NhrezfnWE=}} {admissionregistration.k8s.io {mutatingwebhookconfigurations false MutatingWebhookConfiguration [create delete deletecollection get list patch update watch] [] [] yxW1cpLtfp8=}} {apiextensions.k8s.io {customresourcedefinitions false CustomResourceDefinition [create delete deletecollection get list patch update watch] [crd crds] [] jfWCUB31mvA=}} {scheduling.k8s.io {priorityclasses false PriorityClass [create delete deletecollection get list patch update watch] [pc] [] 1QwjyaZjj3Y=}} {coordination.k8s.io {leases true Lease [create delete deletecollection get list patch update watch] [] [] /sY7hl8ol1U=}} {node.k8s.io {runtimeclasses false RuntimeClass [create delete deletecollection get list patch update watch] [] [] 8nMHWqj34s0=}} {crd.projectcalico.org {networkpolicies networkpolicy true NetworkPolicy [delete deletecollection get list patch create update watch] [] [] vyIiswN6deY=}} {crd.projectcalico.org {globalnetworkpolicies globalnetworkpolicy false GlobalNetworkPolicy [delete deletecollection get list patch create update watch] [] [] zve4ObHFE9A=}} {crd.projectcalico.org {globalnetworksets globalnetworkset false GlobalNetworkSet [delete deletecollection get list patch create update watch] [] [] v7TCLk56Q+4=}} {crd.projectcalico.org {bgpconfigurations bgpconfiguration false BGPConfiguration [delete deletecollection get list patch create update watch] [] [] APoTH7a/ve0=}} {crd.projectcalico.org {felixconfigurations felixconfiguration false FelixConfiguration [delete deletecollection get list patch create update watch] [] [] 3qRBCjXVVr0=}} {crd.projectcalico.org {hostendpoints hostendpoint false HostEndpoint [delete deletecollection get list patch create update watch] [] [] lcuper2cjNA=}} {crd.projectcalico.org {ippools ippool false IPPool [delete deletecollection get list patch create update watch] [] [] 3/m0Z1pQb+k=}} {crd.projectcalico.org {clusterinformations clusterinformation false ClusterInformation [delete deletecollection get list patch create update watch] [] [] IwzLAc88EAI=}} {monitoring.coreos.com {prometheuses prometheus true Prometheus [delete deletecollection get list patch create update watch] [] [] C8naPY4eojU=}} {monitoring.coreos.com {alertmanagers alertmanager true Alertmanager [delete deletecollection get list patch create update watch] [] [] NshW3zg1K7o=}} {monitoring.coreos.com {prometheusrules prometheusrule true PrometheusRule [delete deletecollection get list patch create update watch] [] [] RSJ8iG+KDOo=}} {monitoring.coreos.com {servicemonitors servicemonitor true ServiceMonitor [delete deletecollection get list patch create update watch] [] [] JLhPcfa+5xE=}} {cluster.cattle.io {clusteruserattributes clusteruserattribute true ClusterUserAttribute [delete deletecollection get list patch create update watch] [] [] AhOsCP1Onf8=}} {cluster.cattle.io {clusterauthtokens clusterauthtoken true ClusterAuthToken [delete deletecollection get list patch create update watch] [] [] TLtjJdCmxPo=}} {metrics.k8s.io {pods true PodMetrics [get list] [] [] }} {metrics.k8s.io {nodes false NodeMetrics [get list] [] [] }}]
DEBU[0000] Checking access for bindings
DEBU[0000] Checking access for persistentvolumeclaims
DEBU[0000] Checking access for podtemplates
DEBU[0000] Checking access for nodes
DEBU[0000] Checking access for secrets
DEBU[0000] Checking access for namespaces
DEBU[0000] Checking access for resourcequotas
DEBU[0000] Checking access for persistentvolumes
DEBU[0000] Checking access for endpoints
DEBU[0000] Checking access for replicationcontrollers
DEBU[0000] Checking access for pods
DEBU[0000] Checking access for serviceaccounts
DEBU[0000] Checking access for configmaps
DEBU[0000] Checking access for events
DEBU[0000] Checking access for apiservices.apiregistration.k8s.io
DEBU[0000] Checking access for rolebindings.rbac.authorization.k8s.io
DEBU[0000] Checking access for globalnetworksets.crd.projectcalico.org
DEBU[0000] Checking access for podsecuritypolicies.extensions
DEBU[0000] Checking access for replicasets.extensions
DEBU[0000] Checking access for clusterroles.rbac.authorization.k8s.io
DEBU[0001] Checking access for deployments.extensions
DEBU[0001] Checking access for networkpolicies.extensions
DEBU[0001] Checking access for ingresses.extensions
DEBU[0001] Checking access for deployments.apps
DEBU[0001] Checking access for daemonsets.extensions
DEBU[0001] Checking access for replicasets.apps
DEBU[0001] Checking access for daemonsets.apps
DEBU[0001] Checking access for storageclasses.storage.k8s.io
DEBU[0001] Checking access for controllerrevisions.apps
DEBU[0001] Checking access for volumeattachments.storage.k8s.io
DEBU[0001] Checking access for statefulsets.apps
DEBU[0001] Checking access for csinodes.storage.k8s.io
DEBU[0001] Checking access for events.events.k8s.io
DEBU[0001] Checking access for csidrivers.storage.k8s.io
DEBU[0001] Checking access for tokenreviews.authentication.k8s.io
DEBU[0001] Checking access for selfsubjectaccessreviews.authorization.k8s.io
DEBU[0001] Checking access for localsubjectaccessreviews.authorization.k8s.io
DEBU[0001] Checking access for subjectaccessreviews.authorization.k8s.io
DEBU[0001] Checking access for validatingwebhookconfigurations.admissionregistration.k8s.io
DEBU[0001] Checking access for selfsubjectrulesreviews.authorization.k8s.io
DEBU[0001] Checking access for mutatingwebhookconfigurations.admissionregistration.k8s.io
DEBU[0001] Checking access for horizontalpodautoscalers.autoscaling
DEBU[0001] Checking access for customresourcedefinitions.apiextensions.k8s.io
DEBU[0001] Checking access for priorityclasses.scheduling.k8s.io
DEBU[0001] Checking access for jobs.batch
DEBU[0001] Checking access for cronjobs.batch
DEBU[0001] Checking access for leases.coordination.k8s.io
DEBU[0001] Checking access for runtimeclasses.node.k8s.io
DEBU[0001] Checking access for networkpolicies.crd.projectcalico.org
DEBU[0001] Checking access for globalnetworkpolicies.crd.projectcalico.org
DEBU[0001] Checking access for certificatesigningrequests.certificates.k8s.io
DEBU[0001] Checking access for networkpolicies.networking.k8s.io
DEBU[0001] Checking access for ingresses.networking.k8s.io
DEBU[0001] Checking access for poddisruptionbudgets.policy
DEBU[0001] Checking access for podsecuritypolicies.policy
DEBU[0001] Checking access for clusterrolebindings.rbac.authorization.k8s.io
DEBU[0001] Checking access for bgpconfigurations.crd.projectcalico.org
DEBU[0001] Checking access for felixconfigurations.crd.projectcalico.org
DEBU[0002] Checking access for hostendpoints.crd.projectcalico.org
DEBU[0002] Checking access for ippools.crd.projectcalico.org
DEBU[0002] Checking access for roles.rbac.authorization.k8s.io
DEBU[0002] Checking access for servicemonitors.monitoring.coreos.com
DEBU[0002] Checking access for prometheuses.monitoring.coreos.com
DEBU[0002] Checking access for alertmanagers.monitoring.coreos.com
DEBU[0002] Checking access for prometheusrules.monitoring.coreos.com
DEBU[0002] Checking access for componentstatuses
DEBU[0002] Checking access for limitranges
DEBU[0002] Checking access for services
DEBU[0002] Checking access for clusterinformations.crd.projectcalico.org
DEBU[0002] Checking access for clusteruserattributes.cluster.cattle.io
DEBU[0002] Checking access for clusterauthtokens.cluster.cattle.io
DEBU[0002] Checking access for pods.metrics.k8s.io
DEBU[0002] Checking access for nodes.metrics.k8s.io
NAME LIST CREATE UPDATE DELETE
alertmanagers.monitoring.coreos.com ✔ ✔ ✔ ✔
apiservices.apiregistration.k8s.io ✔ ✔ ✔ ✔
bgpconfigurations.crd.projectcalico.org ✔ ✔ ✔ ✔
bindings ✔
certificatesigningrequests.certificates.k8s.io ✔ ✔ ✔ ✔
clusterauthtokens.cluster.cattle.io ✔ ✔ ✔ ✔
clusterinformations.crd.projectcalico.org ✔ ✔ ✔ ✔
clusterrolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusterroles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusteruserattributes.cluster.cattle.io ✔ ✔ ✔ ✔
componentstatuses ✔
configmaps ✔ ✔ ✔ ✔
controllerrevisions.apps ✔ ✔ ✔ ✔
cronjobs.batch ✔ ✔ ✔ ✔
csidrivers.storage.k8s.io ✔ ✔ ✔ ✔
csinodes.storage.k8s.io ✔ ✔ ✔ ✔
customresourcedefinitions.apiextensions.k8s.io ✔ ✔ ✔ ✔
daemonsets.apps ✔ ✔ ✔ ✔
daemonsets.extensions ✔ ✔ ✔ ✔
deployments.apps ✔ ✔ ✔ ✔
deployments.extensions ✔ ✔ ✔ ✔
endpoints ✔ ✔ ✔ ✔
events ✔ ✔ ✔ ✔
events.events.k8s.io ✔ ✔ ✔ ✔
felixconfigurations.crd.projectcalico.org ✔ ✔ ✔ ✔
globalnetworkpolicies.crd.projectcalico.org ✔ ✔ ✔ ✔
globalnetworksets.crd.projectcalico.org ✔ ✔ ✔ ✔
horizontalpodautoscalers.autoscaling ✔ ✔ ✔ ✔
hostendpoints.crd.projectcalico.org ✔ ✔ ✔ ✔
ingresses.extensions ✔ ✔ ✔ ✔
ingresses.networking.k8s.io ✔ ✔ ✔ ✔
ippools.crd.projectcalico.org ✔ ✔ ✔ ✔
jobs.batch ✔ ✔ ✔ ✔
leases.coordination.k8s.io ✔ ✔ ✔ ✔
limitranges ✔ ✔ ✔ ✔
localsubjectaccessreviews.authorization.k8s.io ✔
mutatingwebhookconfigurations.admissionregistration.k8s.io ✔ ✔ ✔ ✔
namespaces ✔ ✔ ✔ ✔
networkpolicies.crd.projectcalico.org ✔ ✔ ✔ ✔
networkpolicies.extensions ✔ ✔ ✔ ✔
networkpolicies.networking.k8s.io ✔ ✔ ✔ ✔
nodes ✔ ✔ ✔ ✔
nodes.metrics.k8s.io ✔
persistentvolumeclaims ✔ ✔ ✔ ✔
persistentvolumes ✔ ✔ ✔ ✔
poddisruptionbudgets.policy ✔ ✔ ✔ ✔
pods ✔ ✔ ✔ ✔
pods.metrics.k8s.io ✔
podsecuritypolicies.extensions ✔ ✔ ✔ ✔
podsecuritypolicies.policy ✔ ✔ ✔ ✔
podtemplates ✔ ✔ ✔ ✔
priorityclasses.scheduling.k8s.io ✔ ✔ ✔ ✔
prometheuses.monitoring.coreos.com ✔ ✔ ✔ ✔
prometheusrules.monitoring.coreos.com ✔ ✔ ✔ ✔
replicasets.apps ✔ ✔ ✔ ✔
replicasets.extensions ✔ ✔ ✔ ✔
replicationcontrollers ✔ ✔ ✔ ✔
resourcequotas ✔ ✔ ✔ ✔
rolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
roles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
runtimeclasses.node.k8s.io ✔ ✔ ✔ ✔
secrets ✔ ✔ ✔ ✔
selfsubjectaccessreviews.authorization.k8s.io ✔
selfsubjectrulesreviews.authorization.k8s.io ✔
serviceaccounts ✔ ✔ ✔ ✔
servicemonitors.monitoring.coreos.com ✔ ✔ ✔ ✔
services ✔ ✔ ✔ ✔
statefulsets.apps ✔ ✔ ✔ ✔
storageclasses.storage.k8s.io ✔ ✔ ✔ ✔
subjectaccessreviews.authorization.k8s.io ✔
tokenreviews.authentication.k8s.io ✔
validatingwebhookconfigurations.admissionregistration.k8s.io ✔ ✔ ✔ ✔
volumeattachments.storage.k8s.io ✔ ✔ ✔ ✔
No namespace given, this implies cluster scope (try -n if this is not intended)
from rakkess.
I can reproduce this on my cluster.
I applied the yaml provided by @rgl into my namespace and nothing is returned when try to check the access matrix for the service account.
$ [☸ dev:melchior] kubectl access-matrix -v debug --sa example-go-info -n melchior
DEBU[0000] Set log-level to debug
DEBU[0000] []
NAME LIST CREATE UPDATE DELETE
$ [☸ dev:melchior] kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T12:36:28Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.6", GitCommit:"96fac5cd13a5dc064f7d9f4f23030a6aeface6cc", GitTreeState:"clean", BuildDate:"2019-08-19T11:05:16Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
$ [☸ dev:melchior] kubectl access-matrix
NAME LIST CREATE UPDATE DELETE
alertmanagers.monitoring.coreos.com ✔ ✔ ✔ ✔
apiservices.apiregistration.k8s.io ✔ ✔ ✔ ✔
backups.velero.io ✔ ✔ ✔ ✔
backupstoragelocations.velero.io ✔ ✔ ✔ ✔
bgpconfigurations.crd.projectcalico.org ✔ ✔ ✔ ✔
bindings ✔
certificatesigningrequests.certificates.k8s.io ✔ ✔ ✔ ✔
clusterauthtokens.cluster.cattle.io ✔ ✔ ✔ ✔
clusterinformations.crd.projectcalico.org ✔ ✔ ✔ ✔
clusterrolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusterroles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
clusteruserattributes.cluster.cattle.io ✔ ✔ ✔ ✔
componentstatuses ✔
configmaps ✔ ✔ ✔ ✔
controllerrevisions.apps ✔ ✔ ✔ ✔
cronjobs.batch ✔ ✔ ✔ ✔
csidrivers.storage.k8s.io ✔ ✔ ✔ ✔
csinodes.storage.k8s.io ✔ ✔ ✔ ✔
customresourcedefinitions.apiextensions.k8s.io ✔ ✔ ✔ ✔
daemonsets.apps ✔ ✔ ✔ ✔
daemonsets.extensions ✔ ✔ ✔ ✔
deletebackuprequests.velero.io ✔ ✔ ✔ ✔
deployments.apps ✔ ✔ ✔ ✔
deployments.extensions ✔ ✔ ✔ ✔
downloadrequests.velero.io ✔ ✔ ✔ ✔
endpoints ✔ ✔ ✔ ✔
events ✔ ✔ ✔ ✔
events.events.k8s.io ✔ ✔ ✔ ✔
felixconfigurations.crd.projectcalico.org ✔ ✔ ✔ ✔
globalnetworkpolicies.crd.projectcalico.org ✔ ✔ ✔ ✔
globalnetworksets.crd.projectcalico.org ✔ ✔ ✔ ✔
horizontalpodautoscalers.autoscaling ✔ ✔ ✔ ✔
hostendpoints.crd.projectcalico.org ✔ ✔ ✔ ✔
ingresses.extensions ✔ ✔ ✔ ✔
ingresses.networking.k8s.io ✔ ✔ ✔ ✔
ippools.crd.projectcalico.org ✔ ✔ ✔ ✔
jobs.batch ✔ ✔ ✔ ✔
leases.coordination.k8s.io ✔ ✔ ✔ ✔
limitranges ✔ ✔ ✔ ✔
localsubjectaccessreviews.authorization.k8s.io ✔
mutatingwebhookconfigurations.admissionregistration.k8s.io ✔ ✔ ✔ ✔
namespaces ✔ ✔ ✔ ✔
networkpolicies.crd.projectcalico.org ✔ ✔ ✔ ✔
networkpolicies.extensions ✔ ✔ ✔ ✔
networkpolicies.networking.k8s.io ✔ ✔ ✔ ✔
nodes ✔ ✔ ✔ ✔
nodes.metrics.k8s.io ✔
persistentvolumeclaims ✔ ✔ ✔ ✔
persistentvolumes ✔ ✔ ✔ ✔
poddisruptionbudgets.policy ✔ ✔ ✔ ✔
pods ✔ ✔ ✔ ✔
pods.metrics.k8s.io ✔
podsecuritypolicies.extensions ✔ ✔ ✔ ✔
podsecuritypolicies.policy ✔ ✔ ✔ ✔
podtemplates ✔ ✔ ✔ ✔
podvolumebackups.velero.io ✔ ✔ ✔ ✔
podvolumerestores.velero.io ✔ ✔ ✔ ✔
priorityclasses.scheduling.k8s.io ✔ ✔ ✔ ✔
prometheuses.monitoring.coreos.com ✔ ✔ ✔ ✔
prometheusrules.monitoring.coreos.com ✔ ✔ ✔ ✔
replicasets.apps ✔ ✔ ✔ ✔
replicasets.extensions ✔ ✔ ✔ ✔
replicationcontrollers ✔ ✔ ✔ ✔
resourcequotas ✔ ✔ ✔ ✔
resticrepositories.velero.io ✔ ✔ ✔ ✔
restores.velero.io ✔ ✔ ✔ ✔
rolebindings.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
roles.rbac.authorization.k8s.io ✔ ✔ ✔ ✔
runtimeclasses.node.k8s.io ✔ ✔ ✔ ✔
schedules.velero.io ✔ ✔ ✔ ✔
secrets ✔ ✔ ✔ ✔
selfsubjectaccessreviews.authorization.k8s.io ✔
selfsubjectrulesreviews.authorization.k8s.io ✔
serverstatusrequests.velero.io ✔ ✔ ✔ ✔
serviceaccounts ✔ ✔ ✔ ✔
servicemonitors.monitoring.coreos.com ✔ ✔ ✔ ✔
services ✔ ✔ ✔ ✔
statefulsets.apps ✔ ✔ ✔ ✔
storageclasses.storage.k8s.io ✔ ✔ ✔ ✔
studyjobs.kubeflow.org ✔ ✔ ✔ ✔
subjectaccessreviews.authorization.k8s.io ✔
tfjobs.kubeflow.org ✔ ✔ ✔ ✔
tokenreviews.authentication.k8s.io ✔
validatingwebhookconfigurations.admissionregistration.k8s.io ✔ ✔ ✔ ✔
volumeattachments.storage.k8s.io ✔ ✔ ✔ ✔
volumesnapshotlocations.velero.io ✔ ✔ ✔ ✔
No namespace given, this implies cluster scope (try -n if this is not intended)
from rakkess.
I may have some insight into the problem. I think It's specifically related to Rancher.
I assume you are connecting to your cluster through Rancher's auth-proxy @rgl, so was I.
Something with how this plugin is written causes the requests to not get passed through to the actual cluster you're trying to access when they include the sa
or as
options.
When I switch to the FQDN for the cluster (and skip cert validation because they are self-signed in this case) I get the expected result. This is interacting directly with the API server for that cluster and bypassing the Rancher auth-proxy.
[☸ dev-fqdn:default] kubectl access-matrix --sa example-go-info -n melchior --insecure-skip-tls-verify
NAME LIST CREATE UPDATE DELETE
alertmanagers.monitoring.coreos.com ✖ ✖ ✖ ✖
backups.velero.io ✖ ✖ ✖ ✖
backupstoragelocations.velero.io ✖ ✖ ✖ ✖
bindings ✖
clusterauthtokens.cluster.cattle.io ✖ ✖ ✖ ✖
clusteruserattributes.cluster.cattle.io ✖ ✖ ✖ ✖
configmaps ✖ ✖ ✖ ✖
controllerrevisions.apps ✖ ✖ ✖ ✖
cronjobs.batch ✖ ✖ ✖ ✖
daemonsets.apps ✖ ✖ ✖ ✖
daemonsets.extensions ✖ ✖ ✖ ✖
deletebackuprequests.velero.io ✖ ✖ ✖ ✖
deployments.apps ✖ ✖ ✖ ✖
deployments.extensions ✖ ✖ ✖ ✖
downloadrequests.velero.io ✖ ✖ ✖ ✖
endpoints ✖ ✖ ✖ ✖
events ✖ ✖ ✖ ✖
events.events.k8s.io ✖ ✖ ✖ ✖
horizontalpodautoscalers.autoscaling ✖ ✖ ✖ ✖
ingresses.extensions ✖ ✖ ✖ ✖
ingresses.networking.k8s.io ✖ ✖ ✖ ✖
jobs.batch ✖ ✖ ✖ ✖
leases.coordination.k8s.io ✖ ✖ ✖ ✖
limitranges ✖ ✖ ✖ ✖
localsubjectaccessreviews.authorization.k8s.io ✖
networkpolicies.crd.projectcalico.org ✖ ✖ ✖ ✖
networkpolicies.extensions ✖ ✖ ✖ ✖
networkpolicies.networking.k8s.io ✖ ✖ ✖ ✖
persistentvolumeclaims ✖ ✖ ✖ ✖
poddisruptionbudgets.policy ✖ ✖ ✖ ✖
pods ✔ ✖ ✖ ✖
pods.metrics.k8s.io ✖
podtemplates ✖ ✖ ✖ ✖
podvolumebackups.velero.io ✖ ✖ ✖ ✖
podvolumerestores.velero.io ✖ ✖ ✖ ✖
prometheuses.monitoring.coreos.com ✖ ✖ ✖ ✖
prometheusrules.monitoring.coreos.com ✖ ✖ ✖ ✖
replicasets.apps ✖ ✖ ✖ ✖
replicasets.extensions ✖ ✖ ✖ ✖
replicationcontrollers ✖ ✖ ✖ ✖
resourcequotas ✖ ✖ ✖ ✖
resticrepositories.velero.io ✖ ✖ ✖ ✖
restores.velero.io ✖ ✖ ✖ ✖
rolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
roles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
schedules.velero.io ✖ ✖ ✖ ✖
secrets ✖ ✖ ✖ ✖
serverstatusrequests.velero.io ✖ ✖ ✖ ✖
serviceaccounts ✖ ✖ ✖ ✖
servicemonitors.monitoring.coreos.com ✖ ✖ ✖ ✖
services ✖ ✖ ✖ ✖
statefulsets.apps ✖ ✖ ✖ ✖
studyjobs.kubeflow.org ✖ ✖ ✖ ✖
tfjobs.kubeflow.org ✖ ✖ ✖ ✖
volumesnapshotlocations.velero.io ✖ ✖ ✖ ✖
from rakkess.
Hey @rgl, I tried to reproduce this locally, but could not reproduce the bug. I think that @switchboardOp has found a pretty good lead what's going wrong here, but I don't have the capacity to reproduce the setup. Thus I can also not investigate this further.
My guess is that this is an upstream bug anyways, because rakkess
is using the standard cli-go library to talk to the api-server. So it's likely not the only tool which is affected.
Therefore I'm going to close this for now. However, if you are affected, please upvote or leave a note.
Thanks again for reporting and investigating!
from rakkess.
Hey @rgl, can you give this another try? I just released version v0.4.2 with updated k8s dependencies. Maybe that fixes the issue.
from rakkess.
Related Issues (20)
- Documentation does not match plugin capabilities HOT 1
- Add support for json output HOT 2
- Dependabot can't resolve your Go dependency files
- More powerful resource matching (ERRO[0005] determine requested resource: no matches for ...) HOT 2
- Dependabot can't resolve your Go dependency files
- Apple M1 Support HOT 1
- [FEAT] Comparison for different users or service accounts HOT 4
- Rakkess displays extra lines with no resource name and no permissons HOT 9
- inconsistency between access-matrix and "oc who-can"
- Missing assets for v0.5.1 HOT 1
- Krew is not able to install latest v0.5.1 version HOT 1
- What is "n/a" means in result matrix
- Support authorization based on `resourceNames`
- Add support for use verb HOT 4
- Install failure via krew HOT 2
- Installation with Curl is failing "not in gzip format" HOT 2
- `rakkess version` is not printing version information HOT 1
- Rakkess gets very slow when latency goes up HOT 2
- 0.4.5 darwin archive is empty HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rakkess.