type ClusterRoleBinding Subjects serializer should omitEmpty or be empty array

[ntfrnzn]

/kind bug

Using kubectl + jsonpath to report the names of the groups, users or serviceaccounts that are in play in a cluster:

$ kubectl get clusterrolebinding -o jsonpath='{.items[:].subjects[?(@.kind=="Group")].name}'

Get error message when jsonpath sees a nil instead of an array

error: error executing jsonpath "{.items[:].subjects[?(@.kind==\"Group\")].name}": <nil> is not array or slice and cannot be filtered

I expect to see the list of groups

system:masters system:authenticated system:unauthenticated system:authenticated system:unauthenticated

Accessing a v1.9.2 rbac-enabled cluster

# (A) fails:
$ kubectl get clusterrolebinding -o jsonpath='{.items[:].subjects[?(@.kind=="Group")].name}'

# (B) fails:
$ kubectl get clusterrolebinding -o jsonpath='{.items[?(@.subjects)].subjects[?(@.kind=="Group")].name}'

# (C) succeeds:
$ kubectl get clusterrolebinding -o jsonpath='{.items[?(@.metadata.name!="system:node")].subjects[?(@.kind=="Group")].name}'

The system:node ClusterRoleBinding doesn't have any subjects, and it serializes the field as"subjects": null, which leads to the error.

Case (B) above tries to filter out the elements where subjects doesn't exist, but subjects does exist and it's nil. Case (C) shows that if the filter is applied and the offending element is gone, then the rest of the kubectl statement works fine.

This isn't a great user experiences, so the problem is one of

• the jsonpath utility existence filter should filter out fields where the value is nil (? or is false?? or is default???)
• the subjects field should not appear in the serialization, i.e. omitEmpty
• the subjects field should be serialized as an empty array and not as nil.

If it seems that the problem is with the jsonPath filter rather than ClusterRoleBinding, please retitle the issue.

[dims]

/sig auth

[liggitt]

fixed in #60741

/close