How to use subject access review in kubernetes-client?

[raiRaiyan]

I want to use the kubernetes client to figure out if the client has the required permission to the resource. I can do this in kubectl using the following command:

kubectl auth can-i create deployments --namespace dev

This api uses SelfSubjectAccessReview according to the documentation. Does the kubernetes-client support this? If yes, how do I use it?

Going through the source code, I was able to create the API object from io.fabric8.kubernetes.api.model.authorization like this:

LocalSubjectAccessReview review = new LocalSubjectAccessReviewBuilder()
                        .withNewSpec()
                        .withNewResourceAttributes()
                        .withResource("namespace")
                        .withVerb("create")
                        .endResourceAttributes()
                        .endSpec().build();

But i cannot use this either as there is no Handler for this type of a resource. Is there any way that I can use this API object for the time being?

[rohanKanojia]

Does it work when you use resource DSL for creation? Something like this:

KubernetesClient client = new DefaultKubernetesClient();
HasMetadata response = client.resource(review)..inNamespace("dev").createOrReplace();

[raiRaiyan]

No, it does not work. I get this error:

No handler found for object:LocalSubjectAccessReview(apiVersion=authorization.k8s.io/v1, kind=LocalSubjectAccessReview, metadata=null, spec=SubjectAccessReviewSpec(extra={}, groups=[], nonResourceAttributes=null, resourceAttributes=ResourceAttributes(group=null, name=null, namespace=null, resource=namespace, subresource=null, verb=create, version=null, additionalProperties={}), uid=null, user=null, additionalProperties={}), status=null, additionalProperties={})

I tried converting the review object to json and using load:

String json = mapper.writeValueAsString(review);
List<HasMetadata> result = ((DefaultKubernetesClient) client).load(new ByteArrayInputStream(json.getBytes())).fromServer().get();

I get the same error. It looks for a handler for this object type and fails. Following is the stack trace:

java.lang.NullPointerException: null
	at io.fabric8.kubernetes.client.dsl.internal.NamespaceVisitFromServerGetWatchDeleteRecreateWaitApplicableListImpl.acceptVisitors(NamespaceVisitFromServerGetWatchDeleteRecreateWaitApplicableListImpl.java:289)
	at io.fabric8.kubernetes.client.dsl.internal.NamespaceVisitFromServerGetWatchDeleteRecreateWaitApplicableListImpl.get(NamespaceVisitFromServerGetWatchDeleteRecreateWaitApplicableListImpl.java:267)
	at io.fabric8.kubernetes.client.dsl.internal.NamespaceVisitFromServerGetWatchDeleteRecreateWaitApplicableListImpl.get(NamespaceVisitFromServerGetWatchDeleteRecreateWaitApplicableListImpl.java:64)
	at com.app.kube.util.KubernetesUtils.verifyUserAccount(KubernetesUtils.java:59)

[rohanKanojia]

oh, Try to do it like this:

kubernetes-client/kubernetes-tests/src/test/java/io/fabric8/openshift/client/server/mock/SubjectAccessReviewTest.java

Line 72 in 1724b94

SubjectAccessReviewResponse response = client.subjectAccessReviews().inNamespace("test").create(new LocalSubjectAccessReviewBuilder().build());

[raiRaiyan]

That works only for openshift client. I am using the kubernetes client, and it is not adaptable.

[rohanKanojia]

@raiRaiyan : Could you please create a PR to add this in kubenetes client dsl?

[raiRaiyan]

Ok. I will submit a PR once I get it working

[rohanKanojia]

Closed via #1466