You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# (A) fails:
$ kubectl get clusterrolebinding -o jsonpath='{.items[:].subjects[?(@.kind=="Group")].name}'
# (B) fails:
$ kubectl get clusterrolebinding -o jsonpath='{.items[?(@.subjects)].subjects[?(@.kind=="Group")].name}'
# (C) succeeds:
$ kubectl get clusterrolebinding -o jsonpath='{.items[?(@.metadata.name!="system:node")].subjects[?(@.kind=="Group")].name}'
The system:node ClusterRoleBinding doesn't have any subjects, and it serializes the field as"subjects": null, which leads to the error.
Case (B) above tries to filter out the elements where subjects doesn't exist, but subjects does exist and it's nil. Case (C) shows that if the filter is applied and the offending element is gone, then the rest of the kubectl statement works fine.
This isn't a great user experiences, so the problem is one of
the jsonpath utility existence filter should filter out fields where the value is nil (? or is false?? or is default???)
the subjects field should not appear in the serialization, i.e. omitEmpty
the subjects field should be serialized as an empty array and not as nil.
If it seems that the problem is with the jsonPath filter rather than ClusterRoleBinding, please retitle the issue.
The text was updated successfully, but these errors were encountered:
k8s-ci-robot
added
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
and removed
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
labels
Mar 7, 2018
/kind bug
Using kubectl + jsonpath to report the names of the groups, users or serviceaccounts that are in play in a cluster:
Get error message when jsonpath sees a nil instead of an array
I expect to see the list of groups
Accessing a v1.9.2 rbac-enabled cluster
The
system:node
ClusterRoleBinding doesn't have any subjects, and it serializes the field as"subjects": null
, which leads to the error.Case (B) above tries to filter out the elements where
subjects
doesn't exist, butsubjects
does exist and it's nil. Case (C) shows that if the filter is applied and the offending element is gone, then the rest of the kubectl statement works fine.This isn't a great user experiences, so the problem is one of
If it seems that the problem is with the jsonPath filter rather than ClusterRoleBinding, please retitle the issue.
The text was updated successfully, but these errors were encountered: