Merge pull request #96145 from ingvagabund/move-pkg-kubectl-cmd-auth-under-kubectl-staging

Move pkg/kubectl/cmd/auth under staging/src/k8s.io/kubectl/pkg/cmd/auth

Kubernetes-commit: c82d5ee0486191e709663b584b4f7101235514c9

Godeps/Godeps.json

@@ -786,6 +786,10 @@
 			"ImportPath": "k8s.io/component-base",
 			"Rev": "3b346c3e8128"
 		},
+		{
+			"ImportPath": "k8s.io/component-helpers",
+			"Rev": "f4b28bd014f1"
+		},
 		{
 			"ImportPath": "k8s.io/gengo",
 			"Rev": "8167cfdcfc14"

go.mod

@@ -39,6 +39,7 @@ require (
 	k8s.io/cli-runtime v0.0.0-20201102204136-d0f4150e4c60
 	k8s.io/client-go v0.0.0-20201103122446-534b10dd0412
 	k8s.io/component-base v0.0.0-20201102202913-3b346c3e8128
+	k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1
 	k8s.io/klog/v2 v2.2.0
 	k8s.io/kube-openapi v0.0.0-20200923155610-8b5066479488
 	k8s.io/metrics v0.0.0-20201102204027-de1a3d1600b4
@@ -54,7 +55,6 @@ replace (
 	k8s.io/client-go => k8s.io/client-go v0.0.0-20201103122446-534b10dd0412
 	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20201102201853-e7a6809e9fe3
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20201102202913-3b346c3e8128
+	k8s.io/component-helpers => k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1
 	k8s.io/metrics => k8s.io/metrics v0.0.0-20201102204027-de1a3d1600b4
 )
-
-replace k8s.io/component-helpers => k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1

go.sum

@@ -514,6 +514,7 @@ k8s.io/cli-runtime v0.0.0-20201102204136-d0f4150e4c60/go.mod h1:BPUgo08u37PddGZF
 k8s.io/client-go v0.0.0-20201103122446-534b10dd0412/go.mod h1:eZXqnPJiVVWY2+7NwTdK2FTjO8hczO3Dyc4NYU9HPOs=
 k8s.io/code-generator v0.0.0-20201102201853-e7a6809e9fe3/go.mod h1:oioc17TXBB973K4R+ytm5k9jY1BktboxJc7qu3i29V0=
 k8s.io/component-base v0.0.0-20201102202913-3b346c3e8128/go.mod h1:/nWuTBUUN0ayOy6M2gPPEbJLcu3pBzdQG+RvOeE0nr8=
+k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1/go.mod h1:fATLiMczVsWPiRQBF/4Bmb9j64XsZEKugK1o4RHjFoI=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=

pkg/cmd/auth/OWNERS

@@ -0,0 +1,9 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+- sig-auth-authorizers-approvers
+reviewers:
+- sig-auth-authorizers-reviewers
+labels:
+- sig/auth
+

pkg/cmd/auth/auth.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"github.com/spf13/cobra"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+)
+
+// NewCmdAuth returns an initialized Command instance for 'auth' sub command
+func NewCmdAuth(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command {
+	// Parent command to which all subcommands are added.
+	cmds := &cobra.Command{
+		Use:   "auth",
+		Short: "Inspect authorization",
+		Long:  `Inspect authorization`,
+		Run:   cmdutil.DefaultSubCommandRun(streams.ErrOut),
+	}
+
+	cmds.AddCommand(NewCmdCanI(f, streams))
+	cmds.AddCommand(NewCmdReconcile(f, streams))
+
+	return cmds
+}

pkg/cmd/auth/cani.go

@@ -0,0 +1,413 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	authorizationv1 "k8s.io/api/authorization/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/printers"
+	discovery "k8s.io/client-go/discovery"
+	authorizationv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"k8s.io/kubectl/pkg/describe"
+	rbacutil "k8s.io/kubectl/pkg/util/rbac"
+	"k8s.io/kubectl/pkg/util/templates"
+)
+
+// CanIOptions is the start of the data required to perform the operation.  As new fields are added, add them here instead of
+// referencing the cmd.Flags()
+type CanIOptions struct {
+	AllNamespaces   bool
+	Quiet           bool
+	NoHeaders       bool
+	Namespace       string
+	AuthClient      authorizationv1client.AuthorizationV1Interface
+	DiscoveryClient discovery.DiscoveryInterface
+
+	Verb           string
+	Resource       schema.GroupVersionResource
+	NonResourceURL string
+	Subresource    string
+	ResourceName   string
+	List           bool
+
+	genericclioptions.IOStreams
+}
+
+var (
+	canILong = templates.LongDesc(`
+		Check whether an action is allowed.
+
+		VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc.
+		TYPE is a Kubernetes resource. Shortcuts and groups will be resolved.
+		NONRESOURCEURL is a partial URL starts with "/".
+		NAME is the name of a particular Kubernetes resource.`)
+
+	canIExample = templates.Examples(`
+		# Check to see if I can create pods in any namespace
+		kubectl auth can-i create pods --all-namespaces
+
+		# Check to see if I can list deployments in my current namespace
+		kubectl auth can-i list deployments.apps
+
+		# Check to see if I can do everything in my current namespace ("*" means all)
+		kubectl auth can-i '*' '*'
+
+		# Check to see if I can get the job named "bar" in namespace "foo"
+		kubectl auth can-i list jobs.batch/bar -n foo
+
+		# Check to see if I can read pod logs
+		kubectl auth can-i get pods --subresource=log
+
+		# Check to see if I can access the URL /logs/
+		kubectl auth can-i get /logs/
+
+		# List all allowed actions in namespace "foo"
+		kubectl auth can-i --list --namespace=foo`)
+
+	resourceVerbs       = sets.NewString("get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "use", "bind", "impersonate", "*")
+	nonResourceURLVerbs = sets.NewString("get", "put", "post", "head", "options", "delete", "patch", "*")
+)
+
+// NewCmdCanI returns an initialized Command for 'auth can-i' sub command
+func NewCmdCanI(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command {
+	o := &CanIOptions{
+		IOStreams: streams,
+	}
+
+	cmd := &cobra.Command{
+		Use:                   "can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]",
+		DisableFlagsInUseLine: true,
+		Short:                 "Check whether an action is allowed",
+		Long:                  canILong,
+		Example:               canIExample,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmdutil.CheckErr(o.Complete(f, args))
+			cmdutil.CheckErr(o.Validate())
+			var err error
+			if o.List {
+				err = o.RunAccessList()
+			} else {
+				var allowed bool
+				allowed, err = o.RunAccessCheck()
+				if err == nil {
+					if !allowed {
+						os.Exit(1)
+					}
+				}
+			}
+			cmdutil.CheckErr(err)
+		},
+	}
+
+	cmd.Flags().BoolVarP(&o.AllNamespaces, "all-namespaces", "A", o.AllNamespaces, "If true, check the specified action in all namespaces.")
+	cmd.Flags().BoolVarP(&o.Quiet, "quiet", "q", o.Quiet, "If true, suppress output and just return the exit code.")
+	cmd.Flags().StringVar(&o.Subresource, "subresource", o.Subresource, "SubResource such as pod/log or deployment/scale")
+	cmd.Flags().BoolVar(&o.List, "list", o.List, "If true, prints all allowed actions.")
+	cmd.Flags().BoolVar(&o.NoHeaders, "no-headers", o.NoHeaders, "If true, prints allowed actions without headers")
+	return cmd
+}
+
+// Complete completes all the required options
+func (o *CanIOptions) Complete(f cmdutil.Factory, args []string) error {
+	if o.List {
+		if len(args) != 0 {
+			return errors.New("list option must be specified with no arguments")
+		}
+	} else {
+		if o.Quiet {
+			o.Out = ioutil.Discard
+		}
+
+		switch len(args) {
+		case 2:
+			o.Verb = args[0]
+			if strings.HasPrefix(args[1], "/") {
+				o.NonResourceURL = args[1]
+				break
+			}
+			resourceTokens := strings.SplitN(args[1], "/", 2)
+			restMapper, err := f.ToRESTMapper()
+			if err != nil {
+				return err
+			}
+			o.Resource = o.resourceFor(restMapper, resourceTokens[0])
+			if len(resourceTokens) > 1 {
+				o.ResourceName = resourceTokens[1]
+			}
+		default:
+			return errors.New("you must specify two or three arguments: verb, resource, and optional resourceName")
+		}
+	}
+
+	var err error
+	client, err := f.KubernetesClientSet()
+	if err != nil {
+		return err
+	}
+	o.AuthClient = client.AuthorizationV1()
+	o.DiscoveryClient = client.Discovery()
+	o.Namespace = ""
+	if !o.AllNamespaces {
+		o.Namespace, _, err = f.ToRawKubeConfigLoader().Namespace()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Validate makes sure provided values for CanIOptions are valid
+func (o *CanIOptions) Validate() error {
+	if o.List {
+		if o.Quiet || o.AllNamespaces || o.Subresource != "" {
+			return errors.New("list option can't be specified with neither quiet, all-namespaces nor subresource options")
+		}
+		return nil
+	}
+
+	if o.NonResourceURL != "" {
+		if o.Subresource != "" {
+			return fmt.Errorf("--subresource can not be used with NonResourceURL")
+		}
+		if o.Resource != (schema.GroupVersionResource{}) || o.ResourceName != "" {
+			return fmt.Errorf("NonResourceURL and ResourceName can not specified together")
+		}
+		if !isKnownNonResourceVerb(o.Verb) {
+			fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb)
+		}
+	} else if !o.Resource.Empty() && !o.AllNamespaces && o.DiscoveryClient != nil {
+		if namespaced, err := isNamespaced(o.Resource, o.DiscoveryClient); err == nil && !namespaced {
+			if len(o.Resource.Group) == 0 {
+				fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped\n", o.Resource.Resource)
+			} else {
+				fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped in group '%s'\n", o.Resource.Resource, o.Resource.Group)
+			}
+		}
+		if !isKnownResourceVerb(o.Verb) {
+			fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb)
+		}
+
+	}
+
+	if o.NoHeaders {
+		return fmt.Errorf("--no-headers cannot be set without --list specified")
+	}
+	return nil
+}
+
+// RunAccessList lists all the access current user has
+func (o *CanIOptions) RunAccessList() error {
+	sar := &authorizationv1.SelfSubjectRulesReview{
+		Spec: authorizationv1.SelfSubjectRulesReviewSpec{
+			Namespace: o.Namespace,
+		},
+	}
+	response, err := o.AuthClient.SelfSubjectRulesReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
+	if err != nil {
+		return err
+	}
+
+	return o.printStatus(response.Status)
+}
+
+// RunAccessCheck checks if user has access to a certain resource or non resource URL
+func (o *CanIOptions) RunAccessCheck() (bool, error) {
+	var sar *authorizationv1.SelfSubjectAccessReview
+	if o.NonResourceURL == "" {
+		sar = &authorizationv1.SelfSubjectAccessReview{
+			Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+				ResourceAttributes: &authorizationv1.ResourceAttributes{
+					Namespace:   o.Namespace,
+					Verb:        o.Verb,
+					Group:       o.Resource.Group,
+					Resource:    o.Resource.Resource,
+					Subresource: o.Subresource,
+					Name:        o.ResourceName,
+				},
+			},
+		}
+	} else {
+		sar = &authorizationv1.SelfSubjectAccessReview{
+			Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+				NonResourceAttributes: &authorizationv1.NonResourceAttributes{
+					Verb: o.Verb,
+					Path: o.NonResourceURL,
+				},
+			},
+		}
+	}
+
+	response, err := o.AuthClient.SelfSubjectAccessReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
+	if err != nil {
+		return false, err
+	}
+	if response.Status.Allowed {
+		fmt.Fprintln(o.Out, "yes")
+	} else {
+		fmt.Fprint(o.Out, "no")
+		if len(response.Status.Reason) > 0 {
+			fmt.Fprintf(o.Out, " - %v", response.Status.Reason)
+		}
+		if len(response.Status.EvaluationError) > 0 {
+			fmt.Fprintf(o.Out, " - %v", response.Status.EvaluationError)
+		}
+		fmt.Fprintln(o.Out)
+	}
+
+	return response.Status.Allowed, nil
+}
+
+func (o *CanIOptions) resourceFor(mapper meta.RESTMapper, resourceArg string) schema.GroupVersionResource {
+	if resourceArg == "*" {
+		return schema.GroupVersionResource{Resource: resourceArg}
+	}
+
+	fullySpecifiedGVR, groupResource := schema.ParseResourceArg(strings.ToLower(resourceArg))
+	gvr := schema.GroupVersionResource{}
+	if fullySpecifiedGVR != nil {
+		gvr, _ = mapper.ResourceFor(*fullySpecifiedGVR)
+	}
+	if gvr.Empty() {
+		var err error
+		gvr, err = mapper.ResourceFor(groupResource.WithVersion(""))
+		if err != nil {
+			if len(groupResource.Group) == 0 {
+				fmt.Fprintf(o.ErrOut, "Warning: the server doesn't have a resource type '%s'\n", groupResource.Resource)
+			} else {
+				fmt.Fprintf(o.ErrOut, "Warning: the server doesn't have a resource type '%s' in group '%s'\n", groupResource.Resource, groupResource.Group)
+			}
+			return schema.GroupVersionResource{Resource: resourceArg}
+		}
+	}
+
+	return gvr
+}
+
+func (o *CanIOptions) printStatus(status authorizationv1.SubjectRulesReviewStatus) error {
+	if status.Incomplete {
+		fmt.Fprintf(o.ErrOut, "warning: the list may be incomplete: %v\n", status.EvaluationError)
+	}
+
+	breakdownRules := []rbacv1.PolicyRule{}
+	for _, rule := range convertToPolicyRule(status) {
+		breakdownRules = append(breakdownRules, rbacutil.BreakdownRule(rule)...)
+	}
+
+	compactRules, err := rbacutil.CompactRules(breakdownRules)
+	if err != nil {
+		return err
+	}
+	sort.Stable(rbacutil.SortableRuleSlice(compactRules))
+
+	w := printers.GetNewTabWriter(o.Out)
+	defer w.Flush()
+
+	allErrs := []error{}
+	if !o.NoHeaders {
+		if err := printAccessHeaders(w); err != nil {
+			allErrs = append(allErrs, err)
+		}
+	}
+
+	if err := printAccess(w, compactRules); err != nil {
+		allErrs = append(allErrs, err)
+	}
+	return utilerrors.NewAggregate(allErrs)
+}
+
+func convertToPolicyRule(status authorizationv1.SubjectRulesReviewStatus) []rbacv1.PolicyRule {
+	ret := []rbacv1.PolicyRule{}
+	for _, resource := range status.ResourceRules {
+		ret = append(ret, rbacv1.PolicyRule{
+			Verbs:         resource.Verbs,
+			APIGroups:     resource.APIGroups,
+			Resources:     resource.Resources,
+			ResourceNames: resource.ResourceNames,
+		})
+	}
+
+	for _, nonResource := range status.NonResourceRules {
+		ret = append(ret, rbacv1.PolicyRule{
+			Verbs:           nonResource.Verbs,
+			NonResourceURLs: nonResource.NonResourceURLs,
+		})
+	}
+
+	return ret
+}
+
+func printAccessHeaders(out io.Writer) error {
+	columnNames := []string{"Resources", "Non-Resource URLs", "Resource Names", "Verbs"}
+	_, err := fmt.Fprintf(out, "%s\n", strings.Join(columnNames, "\t"))
+	return err
+}
+
+func printAccess(out io.Writer, rules []rbacv1.PolicyRule) error {
+	for _, r := range rules {
+		if _, err := fmt.Fprintf(out, "%s\t%v\t%v\t%v\n", describe.CombineResourceGroup(r.Resources, r.APIGroups), r.NonResourceURLs, r.ResourceNames, r.Verbs); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func isNamespaced(gvr schema.GroupVersionResource, discoveryClient discovery.DiscoveryInterface) (bool, error) {
+	if gvr.Resource == "*" {
+		return true, nil
+	}
+	apiResourceList, err := discoveryClient.ServerResourcesForGroupVersion(schema.GroupVersion{
+		Group: gvr.Group, Version: gvr.Version,
+	}.String())
+	if err != nil {
+		return true, err
+	}
+
+	for _, resource := range apiResourceList.APIResources {
+		if resource.Name == gvr.Resource {
+			return resource.Namespaced, nil
+		}
+	}
+
+	return false, fmt.Errorf("the server doesn't have a resource type '%s' in group '%s'", gvr.Resource, gvr.Group)
+}
+
+func isKnownResourceVerb(s string) bool {
+	return resourceVerbs.Has(s)
+}
+
+func isKnownNonResourceVerb(s string) bool {
+	return nonResourceURLVerbs.Has(s)
+}

pkg/cmd/auth/cani_test.go

@@ -0,0 +1,252 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	authorizationv1 "k8s.io/api/authorization/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/rest/fake"
+	cmdtesting "k8s.io/kubectl/pkg/cmd/testing"
+	"k8s.io/kubectl/pkg/scheme"
+)
+
+func TestRunAccessCheck(t *testing.T) {
+	tests := []struct {
+		name      string
+		o         *CanIOptions
+		args      []string
+		allowed   bool
+		serverErr error
+
+		expectedBodyStrings []string
+	}{
+		{
+			name:    "restmapping for args",
+			o:       &CanIOptions{},
+			args:    []string{"get", "replicaset"},
+			allowed: true,
+			expectedBodyStrings: []string{
+				`{"resourceAttributes":{"namespace":"test","verb":"get","group":"extensions","resource":"replicasets"}}`,
+			},
+		},
+		{
+			name:    "simple success",
+			o:       &CanIOptions{},
+			args:    []string{"get", "deployments.extensions/foo"},
+			allowed: true,
+			expectedBodyStrings: []string{
+				`{"resourceAttributes":{"namespace":"test","verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`,
+			},
+		},
+		{
+			name: "all namespaces",
+			o: &CanIOptions{
+				AllNamespaces: true,
+			},
+			args:    []string{"get", "deployments.extensions/foo"},
+			allowed: true,
+			expectedBodyStrings: []string{
+				`{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`,
+			},
+		},
+		{
+			name: "disallowed",
+			o: &CanIOptions{
+				AllNamespaces: true,
+			},
+			args:    []string{"get", "deployments.extensions/foo"},
+			allowed: false,
+			expectedBodyStrings: []string{
+				`{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`,
+			},
+		},
+		{
+			name: "forcedError",
+			o: &CanIOptions{
+				AllNamespaces: true,
+			},
+			args:      []string{"get", "deployments.extensions/foo"},
+			allowed:   false,
+			serverErr: fmt.Errorf("forcedError"),
+			expectedBodyStrings: []string{
+				`{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`,
+			},
+		},
+		{
+			name: "sub resource",
+			o: &CanIOptions{
+				AllNamespaces: true,
+				Subresource:   "log",
+			},
+			args:    []string{"get", "pods"},
+			allowed: true,
+			expectedBodyStrings: []string{
+				`{"resourceAttributes":{"verb":"get","resource":"pods","subresource":"log"}}`,
+			},
+		},
+		{
+			name:    "nonResourceURL",
+			o:       &CanIOptions{},
+			args:    []string{"get", "/logs"},
+			allowed: true,
+			expectedBodyStrings: []string{
+				`{"nonResourceAttributes":{"path":"/logs","verb":"get"}}`,
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			test.o.Out = ioutil.Discard
+			test.o.ErrOut = ioutil.Discard
+
+			tf := cmdtesting.NewTestFactory().WithNamespace("test")
+			defer tf.Cleanup()
+
+			ns := scheme.Codecs.WithoutConversion()
+
+			tf.Client = &fake.RESTClient{
+				GroupVersion:         schema.GroupVersion{Group: "", Version: "v1"},
+				NegotiatedSerializer: ns,
+				Client: fake.CreateHTTPClient(func(req *http.Request) (*http.Response, error) {
+					expectPath := "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews"
+					if req.URL.Path != expectPath {
+						t.Errorf("%s: expected %v, got %v", test.name, expectPath, req.URL.Path)
+						return nil, nil
+					}
+					bodyBits, err := ioutil.ReadAll(req.Body)
+					if err != nil {
+						t.Errorf("%s: %v", test.name, err)
+						return nil, nil
+					}
+					body := string(bodyBits)
+
+					for _, expectedBody := range test.expectedBodyStrings {
+						if !strings.Contains(body, expectedBody) {
+							t.Errorf("%s expecting %s in %s", test.name, expectedBody, body)
+						}
+					}
+
+					return &http.Response{
+							StatusCode: http.StatusOK,
+							Body: ioutil.NopCloser(bytes.NewBufferString(
+								fmt.Sprintf(`{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","status":{"allowed":%v}}`, test.allowed),
+							)),
+						},
+						test.serverErr
+				}),
+			}
+			tf.ClientConfigVal = &restclient.Config{ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}}
+
+			if err := test.o.Complete(tf, test.args); err != nil {
+				t.Errorf("%s: %v", test.name, err)
+				return
+			}
+
+			actualAllowed, err := test.o.RunAccessCheck()
+			switch {
+			case test.serverErr == nil && err == nil:
+				// pass
+			case err != nil && test.serverErr != nil && strings.Contains(err.Error(), test.serverErr.Error()):
+				// pass
+			default:
+				t.Errorf("%s: expected %v, got %v", test.name, test.serverErr, err)
+				return
+			}
+			if actualAllowed != test.allowed {
+				t.Errorf("%s: expected %v, got %v", test.name, test.allowed, actualAllowed)
+				return
+			}
+		})
+	}
+}
+
+func TestRunAccessList(t *testing.T) {
+	t.Run("test access list", func(t *testing.T) {
+		options := &CanIOptions{List: true}
+		expectedOutput := "Resources   Non-Resource URLs   Resource Names    Verbs\n" +
+			"job.*       []                  [test-resource]   [get list]\n" +
+			"pod.*       []                  [test-resource]   [get list]\n" +
+			"            [/apis/*]           []                [get]\n" +
+			"            [/version]          []                [get]\n"
+
+		tf := cmdtesting.NewTestFactory().WithNamespace("test")
+		defer tf.Cleanup()
+
+		ns := scheme.Codecs.WithoutConversion()
+		codec := scheme.Codecs.LegacyCodec(scheme.Scheme.PrioritizedVersionsAllGroups()...)
+
+		tf.Client = &fake.RESTClient{
+			GroupVersion:         schema.GroupVersion{Group: "", Version: "v1"},
+			NegotiatedSerializer: ns,
+			Client: fake.CreateHTTPClient(func(req *http.Request) (*http.Response, error) {
+				switch req.URL.Path {
+				case "/apis/authorization.k8s.io/v1/selfsubjectrulesreviews":
+					body := ioutil.NopCloser(bytes.NewReader([]byte(runtime.EncodeOrDie(codec, getSelfSubjectRulesReview()))))
+					return &http.Response{StatusCode: http.StatusOK, Body: body}, nil
+				default:
+					t.Fatalf("unexpected request: %#v\n%#v", req.URL, req)
+					return nil, nil
+				}
+			}),
+		}
+		ioStreams, _, buf, _ := genericclioptions.NewTestIOStreams()
+		options.IOStreams = ioStreams
+		if err := options.Complete(tf, []string{}); err != nil {
+			t.Errorf("got unexpected error when do Complete(): %v", err)
+			return
+		}
+
+		err := options.RunAccessList()
+		if err != nil {
+			t.Errorf("got unexpected error when do RunAccessList(): %v", err)
+		} else if buf.String() != expectedOutput {
+			t.Errorf("expected %v\n but got %v\n", expectedOutput, buf.String())
+		}
+	})
+}
+
+func getSelfSubjectRulesReview() *authorizationv1.SelfSubjectRulesReview {
+	return &authorizationv1.SelfSubjectRulesReview{
+		Status: authorizationv1.SubjectRulesReviewStatus{
+			ResourceRules: []authorizationv1.ResourceRule{
+				{
+					Verbs:         []string{"get", "list"},
+					APIGroups:     []string{"*"},
+					Resources:     []string{"pod", "job"},
+					ResourceNames: []string{"test-resource"},
+				},
+			},
+			NonResourceRules: []authorizationv1.NonResourceRule{
+				{
+					Verbs:           []string{"get"},
+					NonResourceURLs: []string{"/apis/*", "/version"},
+				},
+			},
+		},
+	}
+}

pkg/cmd/auth/reconcile.go

@@ -0,0 +1,343 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/klog/v2"
+
+	rbacv1 "k8s.io/api/rbac/v1"
+	rbacv1alpha1 "k8s.io/api/rbac/v1alpha1"
+	rbacv1beta1 "k8s.io/api/rbac/v1beta1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/printers"
+	"k8s.io/cli-runtime/pkg/resource"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
+	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
+	"k8s.io/component-helpers/auth/rbac/reconciliation"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"k8s.io/kubectl/pkg/scheme"
+	"k8s.io/kubectl/pkg/util/templates"
+)
+
+// ReconcileOptions is the start of the data required to perform the operation.  As new fields are added, add them here instead of
+// referencing the cmd.Flags()
+type ReconcileOptions struct {
+	PrintFlags             *genericclioptions.PrintFlags
+	FilenameOptions        *resource.FilenameOptions
+	DryRun                 bool
+	RemoveExtraPermissions bool
+	RemoveExtraSubjects    bool
+
+	Visitor         resource.Visitor
+	RBACClient      rbacv1client.RbacV1Interface
+	NamespaceClient corev1client.CoreV1Interface
+
+	PrintObject printers.ResourcePrinterFunc
+
+	genericclioptions.IOStreams
+}
+
+var (
+	reconcileLong = templates.LongDesc(`
+		Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects.
+
+		Missing objects are created, and the containing namespace is created for namespaced objects, if required.
+
+		Existing roles are updated to include the permissions in the input objects,
+		and remove extra permissions if --remove-extra-permissions is specified.
+
+		Existing bindings are updated to include the subjects in the input objects,
+		and remove extra subjects if --remove-extra-subjects is specified.
+
+		This is preferred to 'apply' for RBAC resources so that semantically-aware merging of rules and subjects is done.`)
+
+	reconcileExample = templates.Examples(`
+		# Reconcile rbac resources from a file
+		kubectl auth reconcile -f my-rbac-rules.yaml`)
+)
+
+// NewReconcileOptions returns a new ReconcileOptions instance
+func NewReconcileOptions(ioStreams genericclioptions.IOStreams) *ReconcileOptions {
+	return &ReconcileOptions{
+		FilenameOptions: &resource.FilenameOptions{},
+		PrintFlags:      genericclioptions.NewPrintFlags("reconciled").WithTypeSetter(scheme.Scheme),
+		IOStreams:       ioStreams,
+	}
+}
+
+// NewCmdReconcile holds the options for 'auth reconcile' sub command
+func NewCmdReconcile(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command {
+	o := NewReconcileOptions(streams)
+
+	cmd := &cobra.Command{
+		Use:                   "reconcile -f FILENAME",
+		DisableFlagsInUseLine: true,
+		Short:                 "Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects",
+		Long:                  reconcileLong,
+		Example:               reconcileExample,
+		Run: func(cmd *cobra.Command, args []string) {
+			cmdutil.CheckErr(o.Complete(cmd, f, args))
+			cmdutil.CheckErr(o.Validate())
+			cmdutil.CheckErr(o.RunReconcile())
+		},
+	}
+
+	o.PrintFlags.AddFlags(cmd)
+
+	cmdutil.AddFilenameOptionFlags(cmd, o.FilenameOptions, "identifying the resource to reconcile.")
+	cmd.Flags().BoolVar(&o.RemoveExtraPermissions, "remove-extra-permissions", o.RemoveExtraPermissions, "If true, removes extra permissions added to roles")
+	cmd.Flags().BoolVar(&o.RemoveExtraSubjects, "remove-extra-subjects", o.RemoveExtraSubjects, "If true, removes extra subjects added to rolebindings")
+	cmdutil.AddDryRunFlag(cmd)
+
+	return cmd
+}
+
+// Complete completes all the required options
+func (o *ReconcileOptions) Complete(cmd *cobra.Command, f cmdutil.Factory, args []string) error {
+	if err := o.FilenameOptions.RequireFilenameOrKustomize(); err != nil {
+		return err
+	}
+
+	if len(args) > 0 {
+		return errors.New("no arguments are allowed")
+	}
+
+	o.DryRun = getClientSideDryRun(cmd)
+
+	namespace, enforceNamespace, err := f.ToRawKubeConfigLoader().Namespace()
+	if err != nil {
+		return err
+	}
+
+	r := f.NewBuilder().
+		WithScheme(scheme.Scheme, scheme.Scheme.PrioritizedVersionsAllGroups()...).
+		ContinueOnError().
+		NamespaceParam(namespace).DefaultNamespace().
+		FilenameParam(enforceNamespace, o.FilenameOptions).
+		Flatten().
+		Do()
+
+	if err := r.Err(); err != nil {
+		return err
+	}
+	o.Visitor = r
+
+	clientConfig, err := f.ToRESTConfig()
+	if err != nil {
+		return err
+	}
+	o.RBACClient, err = rbacv1client.NewForConfig(clientConfig)
+	if err != nil {
+		return err
+	}
+	o.NamespaceClient, err = corev1client.NewForConfig(clientConfig)
+	if err != nil {
+		return err
+	}
+
+	if o.DryRun {
+		o.PrintFlags.Complete("%s (dry run)")
+	}
+	printer, err := o.PrintFlags.ToPrinter()
+	if err != nil {
+		return err
+	}
+
+	o.PrintObject = printer.PrintObj
+	return nil
+}
+
+// Validate makes sure provided values for ReconcileOptions are valid
+func (o *ReconcileOptions) Validate() error {
+	if o.Visitor == nil {
+		return errors.New("ReconcileOptions.Visitor must be set")
+	}
+	if o.RBACClient == nil {
+		return errors.New("ReconcileOptions.RBACClient must be set")
+	}
+	if o.NamespaceClient == nil {
+		return errors.New("ReconcileOptions.NamespaceClient must be set")
+	}
+	if o.PrintObject == nil {
+		return errors.New("ReconcileOptions.Print must be set")
+	}
+	if o.Out == nil {
+		return errors.New("ReconcileOptions.Out must be set")
+	}
+	if o.ErrOut == nil {
+		return errors.New("ReconcileOptions.Err must be set")
+	}
+	return nil
+}
+
+// RunReconcile performs the execution
+func (o *ReconcileOptions) RunReconcile() error {
+	return o.Visitor.Visit(func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+
+		switch t := info.Object.(type) {
+		case *rbacv1.Role:
+			reconcileOptions := reconciliation.ReconcileRoleOptions{
+				Confirm:                !o.DryRun,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
+				Role:                   reconciliation.RoleRuleOwner{Role: t},
+				Client: reconciliation.RoleModifier{
+					NamespaceClient: o.NamespaceClient.Namespaces(),
+					Client:          o.RBACClient,
+				},
+			}
+			result, err := reconcileOptions.Run()
+			if err != nil {
+				return err
+			}
+			o.printResults(result.Role.GetObject(), nil, nil, result.MissingRules, result.ExtraRules, result.Operation, result.Protected)
+
+		case *rbacv1.ClusterRole:
+			reconcileOptions := reconciliation.ReconcileRoleOptions{
+				Confirm:                !o.DryRun,
+				RemoveExtraPermissions: o.RemoveExtraPermissions,
+				Role:                   reconciliation.ClusterRoleRuleOwner{ClusterRole: t},
+				Client: reconciliation.ClusterRoleModifier{
+					Client: o.RBACClient.ClusterRoles(),
+				},
+			}
+			result, err := reconcileOptions.Run()
+			if err != nil {
+				return err
+			}
+			o.printResults(result.Role.GetObject(), nil, nil, result.MissingRules, result.ExtraRules, result.Operation, result.Protected)
+
+		case *rbacv1.RoleBinding:
+			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
+				Confirm:             !o.DryRun,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
+				RoleBinding:         reconciliation.RoleBindingAdapter{RoleBinding: t},
+				Client: reconciliation.RoleBindingClientAdapter{
+					Client:          o.RBACClient,
+					NamespaceClient: o.NamespaceClient.Namespaces(),
+				},
+			}
+			result, err := reconcileOptions.Run()
+			if err != nil {
+				return err
+			}
+			o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)
+
+		case *rbacv1.ClusterRoleBinding:
+			reconcileOptions := reconciliation.ReconcileRoleBindingOptions{
+				Confirm:             !o.DryRun,
+				RemoveExtraSubjects: o.RemoveExtraSubjects,
+				RoleBinding:         reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: t},
+				Client: reconciliation.ClusterRoleBindingClientAdapter{
+					Client: o.RBACClient.ClusterRoleBindings(),
+				},
+			}
+			result, err := reconcileOptions.Run()
+			if err != nil {
+				return err
+			}
+			o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected)
+
+		case *rbacv1beta1.Role,
+			*rbacv1beta1.RoleBinding,
+			*rbacv1beta1.ClusterRole,
+			*rbacv1beta1.ClusterRoleBinding,
+			*rbacv1alpha1.Role,
+			*rbacv1alpha1.RoleBinding,
+			*rbacv1alpha1.ClusterRole,
+			*rbacv1alpha1.ClusterRoleBinding:
+			return fmt.Errorf("only rbac.authorization.k8s.io/v1 is supported: not %T", t)
+
+		default:
+			klog.V(1).Infof("skipping %#v", info.Object.GetObjectKind())
+			// skip ignored resources
+		}
+
+		return nil
+	})
+}
+
+func (o *ReconcileOptions) printResults(object runtime.Object,
+	missingSubjects, extraSubjects []rbacv1.Subject,
+	missingRules, extraRules []rbacv1.PolicyRule,
+	operation reconciliation.ReconcileOperation,
+	protected bool) {
+
+	o.PrintObject(object, o.Out)
+
+	caveat := ""
+	if protected {
+		caveat = ", but object opted out (rbac.authorization.kubernetes.io/autoupdate: false)"
+	}
+	switch operation {
+	case reconciliation.ReconcileNone:
+		return
+	case reconciliation.ReconcileCreate:
+		fmt.Fprintf(o.ErrOut, "\treconciliation required create%s\n", caveat)
+	case reconciliation.ReconcileUpdate:
+		fmt.Fprintf(o.ErrOut, "\treconciliation required update%s\n", caveat)
+	case reconciliation.ReconcileRecreate:
+		fmt.Fprintf(o.ErrOut, "\treconciliation required recreate%s\n", caveat)
+	}
+
+	if len(missingSubjects) > 0 {
+		fmt.Fprintf(o.ErrOut, "\tmissing subjects added:\n")
+		for _, s := range missingSubjects {
+			fmt.Fprintf(o.ErrOut, "\t\t%+v\n", s)
+		}
+	}
+	if o.RemoveExtraSubjects {
+		if len(extraSubjects) > 0 {
+			fmt.Fprintf(o.ErrOut, "\textra subjects removed:\n")
+			for _, s := range extraSubjects {
+				fmt.Fprintf(o.ErrOut, "\t\t%+v\n", s)
+			}
+		}
+	}
+	if len(missingRules) > 0 {
+		fmt.Fprintf(o.ErrOut, "\tmissing rules added:\n")
+		for _, r := range missingRules {
+			fmt.Fprintf(o.ErrOut, "\t\t%+v\n", r)
+		}
+	}
+	if o.RemoveExtraPermissions {
+		if len(extraRules) > 0 {
+			fmt.Fprintf(o.ErrOut, "\textra rules removed:\n")
+			for _, r := range extraRules {
+				fmt.Fprintf(o.ErrOut, "\t\t%+v\n", r)
+			}
+		}
+	}
+}
+
+func getClientSideDryRun(cmd *cobra.Command) bool {
+	dryRunStrategy, err := cmdutil.GetDryRunStrategy(cmd)
+	if err != nil {
+		klog.Fatalf("error accessing --dry-run flag for command %s: %v", cmd.Name(), err)
+	}
+	if dryRunStrategy == cmdutil.DryRunServer {
+		klog.Fatalf("--dry-run=server for command %s is not supported yet", cmd.Name())
+	}
+	return dryRunStrategy == cmdutil.DryRunClient
+}