feat: Support ClusterRole relationships

Signed-off-by: Justin Toh <tohjustin@hotmail.com>
tohjustin · Oct 2, 2021 · 386ef28 · 386ef28
1 parent 4516759
commit 386ef28
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ List of supported relationships used for discovering dependent objects:
 
 - Kubernetes
   - [Controller References](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/controller-ref.md) & [Owner References](https://kubernetes.io/docs/concepts/overview/working-with-objects/owners-dependents/)
-  - [ClusterRoleBinding References](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/) & [RoleBinding References](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-binding-v1/)
+  - [ClusterRole References](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/), [ClusterRoleBinding References](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/) & [RoleBinding References](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-binding-v1/)
   - [Event References](https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/event-v1/)
   - [Ingress References](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/) & [IngressClass Reference](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-class-v1/)
   - [MutatingWebhookConfiguration References](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/mutating-webhook-configuration-v1/) & [ValidatingWebhookConfiguration References](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/)

diff --git a/pkg/cmd/lineage/graph.go b/pkg/cmd/lineage/graph.go
@@ -186,11 +186,12 @@ func (n *Node) GetNestedString(fields ...string) string {
 type NodeMap map[types.UID]*Node
 
 const (
-	// Kubernetes ClusterRoleBinding, RoleBinding relationships.
-	RelationshipClusterRoleBindingSubject Relationship = "ClusterRoleBindingSubject"
-	RelationshipClusterRoleBindingRole    Relationship = "ClusterRoleBindingRole"
-	RelationshipRoleBindingSubject        Relationship = "RoleBindingSubject"
-	RelationshipRoleBindingRole           Relationship = "RoleBindingRole"
+	// Kubernetes ClusterRole, ClusterRoleBinding, RoleBinding relationships.
+	RelationshipClusterRoleAggregationRule Relationship = "ClusterRoleAggregationRule"
+	RelationshipClusterRoleBindingSubject  Relationship = "ClusterRoleBindingSubject"
+	RelationshipClusterRoleBindingRole     Relationship = "ClusterRoleBindingRole"
+	RelationshipRoleBindingSubject         Relationship = "RoleBindingSubject"
+	RelationshipRoleBindingRole            Relationship = "RoleBindingRole"
 
 	// Kubernetes Event relationships.
 	RelationshipEventRegarding Relationship = "EventRegarding"
@@ -417,6 +418,13 @@ func resolveDependents(objects []unstructuredv1.Unstructured, rootUID types.UID)
 				klog.V(4).Infof("Failed to get relationships for ingressclass named \"%s\": %s", node.Name, err)
 				continue
 			}
+		// Populate dependents based on ClusterRole relationships
+		case node.Group == "rbac.authorization.k8s.io" && node.Kind == "ClusterRole":
+			rmap, err = getClusterRoleRelationships(node)
+			if err != nil {
+				klog.V(4).Infof("Failed to get relationships for clusterrole named \"%s\": %s", node.Name, err)
+				continue
+			}
 		// Populate dependents based on ClusterRoleBinding relationships
 		case node.Group == "rbac.authorization.k8s.io" && node.Kind == "ClusterRoleBinding":
 			rmap, err = getClusterRoleBindingRelationships(node)
@@ -475,6 +483,34 @@ func resolveDependents(objects []unstructuredv1.Unstructured, rootUID types.UID)
 	return nodeMap
 }
 
+// getClusterRoleRelationships returns a map of relationships that this
+// ClusterRole has with other objects, based on what was referenced in
+// its manifest.
+func getClusterRoleRelationships(n *Node) (*RelationshipMap, error) {
+	var cr rbacv1.ClusterRole
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(n.UnstructuredContent(), &cr)
+	if err != nil {
+		return nil, err
+	}
+
+	var ols ObjectLabelSelector
+	result := newRelationshipMap()
+
+	// RelationshipClusterRoleAggregationRule
+	if ar := cr.AggregationRule; ar != nil {
+		for ix := range ar.ClusterRoleSelectors {
+			selector, err := metav1.LabelSelectorAsSelector(&ar.ClusterRoleSelectors[ix])
+			if err != nil {
+				return nil, err
+			}
+			ols = ObjectLabelSelector{Group: "rbac.authorization.k8s.io", Kind: "ClusterRole", Selector: selector}
+			result.AddDependencyByLabelSelector(ols, RelationshipClusterRoleAggregationRule)
+		}
+	}
+
+	return &result, nil
+}
+
 // getClusterRoleBindingRelationships returns a map of relationships that this
 // ClusterRoleBinding has with other objects, based on what was referenced in
 // its manifest.