The goals of the
k8s-resource-client library is to create an out-of-cluster client experience that enables easily querying up-to-date resources from a Kubernetes cluster while dealing with the class of concerns around API authorization. To do this, the client has two modes of operation
explicit. In both cases, the
auth.v1.SelfSubjectAccessReview API will be used to validate that a minimal set of access is provided for a resource. If that minimal access is not allowed with the currently configured credentials the resource will be marked as
FailedSubjectAccessReview and attempts to fetch object(s) for that resource endpoint will return an nil response and a typed error containing the details of the failure.
Namespaces are treated as a special resource and can have their mode set to
auto (default) or
explicit indpendently of the mode set for other resources.
Modes of Operation
Minimal RBAC requirements for this client are the
Watch verbs for the resource you wish to view objects for. By default, the client will attempt to validate the minimal RBAC requirements by issuing a
SelfSubjectAccessReview request for a resource. This behavior may be explictily skippend by the user.
auto mode the client will do best effort to discover Kubernetes resources. After discovering the resources a subject access review will be created for every discovered resource unless that behavior has been explicitly disabled.
explicit mode the client will be provided a list of resources. An attempt to query any resources not configured when in explict mode will produce a
ResourceNotSynced error. For each resource listed a subject access review will be created unless that behavior has been explicitly disabled.
- namespaces: auto, explicit
- namespace-scoped-resources: auto, explicit
- cluster-scoped-resources: auto, explicit
- refresh-subject-access-interval: default 5m
Package subjectaccess provides functions for listing resource access in a Kubernetes cluster.
|Package subjectaccess provides functions for listing resource access in a Kubernetes cluster.|