Merge pull request #13 from reactiveops/rs/cleanup

Support for Filtering by Subject Kind, Better Auth, More Tests

Gopkg.toml

@@ -0,0 +1,12 @@
+[[constraint]]
+  name = "github.com/spf13/cobra"
+  version = "~0.0.3"
+[[constraint]]
+  name = "k8s.io/api"
+  version = "kubernetes-1.13.4"
+[[constraint]]
+  name = "k8s.io/apimachinery"
+  version = "kubernetes-1.13.4"
+[[constraint]]
+  name = "k8s.io/client-go"
+  version = "~10.0.0"

README.md

@@ -27,19 +27,10 @@ [email protected]           cluster-wide      ClusterRole/view
 [email protected]           nginx-ingress     ClusterRole/edit
 ```
 
-The wide output option includes the kind of subject (user, service account, or group), along with the source role binding.
+The wide output option includes the kind of subject along with the source role binding.
 
 ```
-rbac-lookup rob -owide
-
-SUBJECT                   SCOPE             ROLE                SOURCE
-User/[email protected]      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
-User/[email protected]      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit
-```
-
-With a more generic query, we can see that a variety of users and service accounts can be returned, as long as they match the query.
-```
-rbac-lookup ro -owide
+rbac-lookup ro --output wide
 
 SUBJECT                   SCOPE             ROLE                SOURCE
 User/[email protected]      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
@@ -48,12 +39,15 @@ User/[email protected]      web               ClusterRole/edit    RoleBinding/ron-
 ServiceAccount/rops       infra             ClusterRole/admin   RoleBinding/rops-admin
 ```
 
-Of course a query is an optional parameter for rbac-lookup. You could simply run `rbac-lookup` to get a full picture of authorization in your cluster, and then pipe that output to something like grep for your own more advanced filtering.
+It's also possible to filter output by the kind of RBAC Subject. The `--kind` or `-k` parameter accepts `user`, `group`, and `serviceaccount` as values.
+
 ```
-rbac-lookup | grep rob
+rbac-lookup ro --output wide --kind user
 
+SUBJECT                   SCOPE             ROLE                SOURCE
 User/[email protected]      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
 User/[email protected]      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit
+User/[email protected]      web               ClusterRole/edit    RoleBinding/ron-edit
 ```
 
 ### GKE IAM Integration
@@ -73,7 +67,7 @@ [email protected]      project-wide      IAM/viewer
 Of course this GKE integration also supports wide output, in this case referencing the specific IAM roles that are assigned to a user.
 
 ```
-rbac-lookup rob --gke -owide
+rbac-lookup rob --gke --output wide
 
 SUBJECT                   SCOPE             ROLE                SOURCE
 User/[email protected]      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
@@ -84,8 +78,14 @@ User/[email protected]      project-wide      IAM/gcp-viewer      IAMRole/viewer
 
 At this point this integration only supports standard IAM roles, and is not advanced enough to include any custom roles. For a full list of supported roles and how they are mapped, view [lookup/gke_roles.go](lookup/gke_roles.go).
 
-### Kubernetes Configuration
-If a `KUBECONFIG` environment variable is specified, rbac-lookup will attempt to use the config at that path, otherwise it will default to `~/.kube/config`.
+## Flags Supported
+```
+      --context string   context to use for Kubernetes config
+      --gke              enable GKE integration
+  -h, --help             help for rbac-lookup
+  -k, --kind string      filter by this RBAC subject kind (user, group, serviceaccount)
+  -o, --output string    output format (normal, wide)
+```
 
 ## RBAC Manager
 While RBAC Lookup helps provide visibility into Kubernetes auth, RBAC Manager helps make auth simpler to manage. This is a Kubernetes operator that enables more concise RBAC configuration that is easier to scale and automate. For more information, see [RBAC Manager on GitHub](https://github.com/reactiveops/rbac-manager).

cmd/root.go

@@ -17,13 +17,16 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/reactiveops/rbac-lookup/lookup"
 	"github.com/spf13/cobra"
 )
 
-var output string
-var gke bool
+var outputFormat string
+var enableGke bool
+var kubeContext string
+var subjectKind string
 
 var rootCmd = &cobra.Command{
 	Use:   "rbac-lookup [subject query]",
@@ -32,16 +35,20 @@ var rootCmd = &cobra.Command{
 	Args:  cobra.RangeArgs(0, 1),
 	Run: func(cmd *cobra.Command, args []string) {
 		if err := cmd.ParseFlags(args); err != nil {
-			fmt.Printf("Error parsing flags: %v", err)
+			fmt.Printf("Error parsing flags: %v\n", err)
 		}
 
-		lookup.List(args, output, gke)
+		subjectKind = strings.ToLower(subjectKind)
+
+		lookup.List(args, kubeContext, outputFormat, subjectKind, enableGke)
 	},
 }
 
 func init() {
-	rootCmd.PersistentFlags().StringVarP(&output, "output", "o", "", "output format (normal,wide)")
-	rootCmd.PersistentFlags().BoolVar(&gke, "gke", false, "enable GKE integration")
+	rootCmd.PersistentFlags().StringVarP(&outputFormat, "output", "o", "", "output format (normal, wide)")
+	rootCmd.PersistentFlags().StringVarP(&kubeContext, "context", "", "", "context to use for Kubernetes config")
+	rootCmd.PersistentFlags().StringVarP(&subjectKind, "kind", "k", "", "filter by this RBAC subject kind (user, group, serviceaccount)")
+	rootCmd.PersistentFlags().BoolVar(&enableGke, "gke", false, "enable GKE integration")
 }
 
 // Execute is the primary entrypoint for this CLI

cmd/version.go

@@ -28,6 +28,6 @@ var versionCmd = &cobra.Command{
 	Use:   "version",
 	Short: "Print the version number of rbac-lookup",
 	Run: func(cmd *cobra.Command, args []string) {
-		fmt.Println("rbac-lookup version 0.2.1")
+		fmt.Println("rbac-lookup version 0.3.0")
 	},
 }