invalid Roles are outputted #24
Comments
|
Thanks for reporting the issue... it's very strange, since I've seen generation of create roles work properly, emitting without At first I thought it might be differences in audit configurations sometimes emitting the resource name in audit events for create requests, but in that same demo, you can see create requests audit events containing object names (e.g. at https://www.youtube.com/watch?v=n2cD20moYe8&t=5s at 0:05), so in that configuration, audit events contained names of objects being created, and a create permission was added to the role without populating the name. I'll take a look to see if I can figure out why this was sometimes producing correct create roles, and make the output work consistently. |
|
would it help if i sent you the audit log? |
|
sure, testdata is always welcome, though the transformation from audit events to authorizer attributes clearly just copies in the objectRef name: audit2rbac/cmd/audit2rbac/audit2rbac.go Lines 572 to 580 in dc2769a so if the audit log has an objectRef with a name attribute populated, that will drive a simulated authorization check that doesn't match the authorization check that would have been done in reality |
the tool is great but has a bug. it outputs roles and clusterroles with resourceNames even when it includes the create verb which is not possible in K8s.
is this something that can be fixed in the project?
currently i am manually removing the resource names field from those places but it would be much better if the tool did this itself
The text was updated successfully, but these errors were encountered: