Error using v 0.1

[rikatz]

Hi,

Nice project!

I was trying to use it into my environment and I'm facing the following error:

/usr/local/bin/kubectl get sa --all-namespaces --output json
/usr/local/bin/kubectl get roles --all-namespaces --output json
/usr/local/bin/kubectl get rolebindings --all-namespaces --output json
/usr/local/bin/kubectl get clusterroles --output json
/usr/local/bin/kubectl get clusterrolebindings --output json
panic: interface conversion: interface {} is nil, not []interface {}

goroutine 1 [running]:
main.lookupRoles(0xc0000a1650, 0x7, 0xc0000a1640, 0x7, 0xc000060150, 0xc000192270, 0xc0000ea400, 0x1c, 0x20, 0xc00023eb40, ...)
	/Users/hausenbl/go/src/github.com/mhausenblas/rback/main.go:199 +0x586
main.genGraph(0xc000060150, 0xc000192270, 0xc0000ea400, 0x1c, 0x20, 0xc00023eb40, 0xc0000eae00, 0x1c, 0x20, 0x0)
	/Users/hausenbl/go/src/github.com/mhausenblas/rback/main.go:310 +0xc01
main.main()
	/Users/hausenbl/go/src/github.com/mhausenblas/rback/main.go:27 +0x141

My env:

OS CentOS 7.6 64 bit
K8S version: 1.13.4

Tks

[rikatz]

Tested here inside a Ubuntu 18.04 and the same occurs

[mhausenblas]

Interesting! Thanks for reporting this @rikatz … are you using the binaries or built it yourself?

[rikatz]

Using the binaries :)

[mhausenblas]

Thanks, and what's your kubectl version?

[rikatz]

Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.6", GitCommit:"abdda3f9fefa29172298a2e42f5102e777a8ec25", GitTreeState:"clean", BuildDate:"2019-05-08T13:53:53Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}

[mhausenblas]

OK, thanks. I suspect the kubectl version is the cause (mine is 1.14). Can you paste the output of kubectl get clusterrolebindings/cluster-admin -o yaml please?

[rikatz]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2017-04-18T23:50:47Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "26105543"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
  uid: d840db91-2491-11e7-9c82-0050568f9e1a
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters

Upgraded the kubectl to 1.14.2 but the error persists

[mhausenblas]

So I tried to reproduce your issue, using the Katacoda Kubernetes playground which has an 1.11 client installed (result see in the examples/ directory). Seems to work fine.

[mhausenblas]

LOL, commented at the same time.

Upgraded the kubectl to 1.14.2 but the error persists

This is even stranger! Hmmmm …

[rikatz]

Yeap. The error seems to be in genGraph.

I'll put some brake points here and try to reproduce/find what's happening.

[mhausenblas]

Thanks. Yeah, it's in lookupRoles() but I don't get why, because I get the exact same result as you get above for the CRB. Maybe some interesting other CRB that uses no name?? :)

[rikatz]

@mhausenblas could figure out the problem here: when you have a RoleBinding with no subjects it returns the error.

The following is a RoleBinding that can reproduce the error:

{
"apiVersion":"rbac.authorization.k8s.io/v1",
"kind":"RoleBinding",
"metadata":{
"creationTimestamp":"2017-04-24T22:53:27Z",
"name":"admin",
"namespace":"namespace1",
"resourceVersion":"27780594",
"selfLink":"/apis/rbac.authorization.k8s.io/v1/namespaces/namespace1/rolebindings/admin",
"uid":"d487bbe2-2940-11e7-bff1-0050568f9e1c"
},
"roleRef":{
"apiGroup":"rbac.authorization.k8s.io",
"kind":"ClusterRole",
"name":"admin"
}
}

[rikatz]

Made a PR to fix this ;)

[rikatz]

Now I'm facing another error with Graphviz, but not related to rback by itself :P I've a pretty huge environment and cairo is not rendering it well.

Anyway, this is nice!

[mhausenblas]

Yeah, that's what my hunch was as well (missing name and or even subjects). I really appreciate you taking the time. I do, however, wonder if such a RoleBinding is actually valid. I mean, what would the semantic of that be? Can you tell from where that comes from? I'm not against the patch #2 and will merge it but I really don't want to support bad practices in terms of RBAC ;)

[rikatz]

Yes, this was strange. Anyway it seems Kubernetes API supports RoleBinding without subjects. This should be an empty array other then a null field, but it happens this is a cluster created while it was version 1.7 and then being upgraded. Probably we've hit some old migration issue

[mhausenblas]

Oho! TIL :)

Any references I can peruse?