48 lines
1.1 KiB
Go
48 lines
1.1 KiB
Go
package k8s
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/rs/zerolog"
|
|
authorizationv1 "k8s.io/api/authorization/v1"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
"k8s.io/client-go/kubernetes"
|
|
)
|
|
|
|
// CanIAccess checks if user has access to a certain resource.
|
|
func CanIAccess(cfg *Config, log zerolog.Logger, ns, verb, name, resURL string) bool {
|
|
_, gr := schema.ParseResourceArg(strings.ToLower(resURL))
|
|
sar := &authorizationv1.SelfSubjectAccessReview{
|
|
Spec: authorizationv1.SelfSubjectAccessReviewSpec{
|
|
ResourceAttributes: &authorizationv1.ResourceAttributes{
|
|
Namespace: ns,
|
|
Verb: verb,
|
|
Group: gr.Group,
|
|
Resource: gr.Resource,
|
|
Subresource: "",
|
|
Name: name,
|
|
},
|
|
},
|
|
}
|
|
|
|
rest, err := cfg.RESTConfig()
|
|
if err != nil {
|
|
log.Warn().Msgf("Access %s", err)
|
|
return false
|
|
}
|
|
|
|
auth, err := kubernetes.NewForConfig(rest)
|
|
if err != nil {
|
|
log.Warn().Msgf("Access %s", err)
|
|
return false
|
|
}
|
|
|
|
response, err := auth.AuthorizationV1().SelfSubjectAccessReviews().Create(sar)
|
|
if err != nil {
|
|
log.Warn().Msgf("Access %s", err)
|
|
return false
|
|
}
|
|
|
|
return response.Status.Allowed
|
|
}
|