-
Notifications
You must be signed in to change notification settings - Fork 898
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubectl clusterrole help doesn't document --user flag #1256
Comments
@RichardoC: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/sig cli |
Weirdly I can see it in the code, but not when run? |
/assign |
Yes, it does exist in the code. I looked at the code and didn't find any problems. |
Hi, PR opened for it in past but has not resolved it. see this: kubernetes/kubernetes#103809 (review) |
/cc @eddiezane |
This is a kubectl issue /transfer kubectl |
@Shubham82 is right, this is because there is already a global user flag:
The problem is we can't just rename the flag because of backward compatibility. People running I wonder if a solution would be to "overload" this flag, essentially binding two different flags to the
Then,
And we could deprecate the use of Maybe even print a warning if people use that flag so that eventually we could remove it. Thoughts? |
Maybe "username" instead because role-user doesn't really fit with --service-account etc? |
Hi @brianpursley |
IMO |
@Shubham82 that was what I was thinking, then mark BUT... I think this should be discussed with SIG-CLI though before doing that, perhaps in the next bug scrub meeting, or in the next regular SIG-CLI meeting. There is probably a bigger overall issue of "how do we handle/fix shadowed flags" A quick look and I see (at least) these commands shadow
In fact, The real problem is that shadowed flags don't show up in the help output, so maybe another, different solution would be to figure out how to force them to show up in the help output even though they are shadowing a global flag. Is that possible? |
Thanks, @brianpursley for this detailed information. |
The root of this is in Cobra spf13/cobra#1651 |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
/triage resolved This is fixed in v1.26.0:
|
@KnVerey: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@KnVerey: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened?
--user is missing from the list of options
What did you expect to happen?
$ kubectl -n security create rolebinding workloads --clusterrole workloads --help
Create a role binding for a particular role or cluster role.
Examples:
Create a role binding for user1, user2, and group1 using the admin cluster role
kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
Options:
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--clusterrole='': ClusterRole this RoleBinding should reference
--dry-run='none': Must be "none", "server", or "client". If client strategy, only print the object that would be
sent, without sending it. If server strategy, submit server-side request without persisting the resource.
--field-manager='kubectl-create': Name of the manager used to track field ownership.
--group=[]: Groups to bind to the role
-o, --output='': Output format. One of:
json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.
--role='': Role this RoleBinding should reference
--save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the
annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
--serviceaccount=[]: Service accounts to bind to the role, in the format :
--show-managed-fields=false: If true, keep the managedFields when printing objects in JSON or YAML format.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--user=[]: Users to bind to the role
--validate=true: If true, use a schema to validate the input before sending it
Usage:
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname]
[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
How can we reproduce it (as minimally and precisely as possible)?
$ kubectl -n internal create rolebinding workloads --clusterrole workloads ---help | | grep '--user'
Nothing saying what the --user flag does.
Anything else we need to know?
No response
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: