Skip to content

/ kubeauth

kubeauth is a program to assist usage of kubectl for user/group related operations.

MPL-2.0 License
0 stars 0 forks
Star
Watch
master
1 branch 1 tag
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
cmd/kubeauth
 
 
internal
 
 
testdata/cover
 
 
.gitignore
 
 
.travis.yml
 
 
CHANGELOG.md
 
 
LICENSE
 
 
Makefile
 
 
README.md
 
 
go.mod
 
 
go.sum
 
 

README.md

kubeauth GoDoc Go Report Card Build Status

kubeauth is a program to assist usage of kubectl for user/group related operations. It currently provides two commands:

  1. add-user creates a service account based user, adds the credentials to the selected kubeconfig, and optionally creates bindings to existing roles or cluster roles.
  2. ctl wraps kubectl invocation and validates flags such as --as and --as-group.

add-user

Examples

Create the kubeconfig user "tester" based on service account "default" in the "dev" namespace. Also bind it to a role and cluster role. The --role and --cluster-role flags may be supplied multiple times.

kubeauth add-user -v=1 \
  --user tester \
  --account default \
  --namespace dev \
  --role role_name_0:binding_name_0 \
  --cluster-role role_name_1:binding_name_1

Validation checks

  • --role: role exists in effective namespace
  • --cluster-role: cluster role exists

ctl

  • Invocation format: ctl [kubectl sub-command] [kubeauth flags] -- [kubectl sub-command flags]
  • ctl flags which are also accepted by kubectl will be passed to the latter.

Examples

Verify that "tester" exists and run "kubectl auth can-i -v=1 --as tester --list".

kubeauth ctl auth can-i -v=1 \
  --as tester \
  -- --list

Verify that "system:serviceaccount:dev:default" exists and run "kubectl auth can-i -v=1 --as system:serviceaccount:dev:default --list".

kubeauth ctl auth can-i -v=1 \
  --as system:serviceaccount:dev:default \
  -- --list

Validation checks

  • effective context exists
  • effective namespace exists
  • --as selection exists
  • --as-group selection exists
  • agreement between --cluster and effective context's cluster

Development

License

Mozilla Public License Version 2.0 (About, FAQ)

Contributing

  • Please feel free to submit issues, PRs, questions, and feedback.
  • Although this repository consists of snapshots extracted from a private monorepo using transplant, PRs are welcome. Standard GitHub workflows are still used.

Testing

ctl

FAQ

  • ctl
    • Q: When verbose output is enabled with -v=1 and I use --as/--as-group flags, why do I not always see in namespace X in the messages describing where the user/group was found?
      • A: It may be that the --as/--as-group identity was found in a role or cluster-role binding where the Subject object contained an empty Namespace field. At the time this was written, the empty value is expected for User and Group subjects because those object kinds are considered "non-namespace".

About

kubeauth is a program to assist usage of kubectl for user/group related operations.

Topics

kubernetes kubectl devops-tools golang go

Resources

Readme

License

MPL-2.0 License

Releases

1 tags

Packages

No packages published

Languages

You can’t perform that action at this time.