Kubectl auth can-i doesn't know about the approve verb

[raesene]

What happened:

If you use kubectl auth can-i to test whether a user can approve certificate signing requests, you get a response indicating that approve is not a valid verb

kubectl auth can-i approve certificatesigningrequests.certificates.k8s.io
Warning: resource 'certificatesigningrequests' is not namespace scoped in group 'certificates.k8s.io'

Warning: verb 'approve' is not a known verb

An example of the approve verb being used can be seen here

What you expected to happen:

approve should be recognized as a valid verb on certificatesigningrequest objects.

How to reproduce it (as minimally and precisely as possible):
Run

kubectl auth can-i approve certificatesigningrequests.certificates.k8s.io

Anything else we need to know?:

I think that approve needs to be added to the kubectl auth can-i code here

Environment:

• Kubernetes client and server versions (use kubectl version):
• Cloud provider or hardware configuration:
• OS (e.g: cat /etc/os-release):

[k8s-ci-robot]

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ardaguclu]

I don't think approve is a valid verb for kubectl auth command. Valid verbs are in https://github.com/kubernetes/kubectl/blob/514f46729f82412dd9cc41f206058bc4ae9b62b0/pkg/cmd/auth/cani.go#L106

[raesene]

so in that line of code there are a number of verbs which are only usuable on specific objects for example impersonate which works on users. AFAIK the point of that line is to inform kubectl what the valid verbs are on any object in Kubernetes, so that it knows what's possible when users use the kubectl auth can-i command.

the approve verb is valid on certificate objects as shown in the docs example I listed. Without approve being present in that line of code, kubectl auth can-i will incorrectly state that there is no approve verb in Kubernetes.

[ah8ad3]

I tested it, seems working when we add approve in that list. But the question is should we add it or not?

[raesene]

There have been cases where Kubectl has had additions to handle non-standard resources/verbs in the past (e.g. this one I raised a couple of years back).

AFAIK the explicit list of verbs here is designed to address this point, it's just not got approve in it. You could ask SIG-Auth about it, I'm sure they'd have more info.

[ardaguclu]

/transfer kubenertes
/sig auth

Decision can be made by sig-auth

[k8s-ci-robot]

@ardaguclu: Something went wrong or the destination repo kubernetes/kubenertes does not exist.

In response to this:

/transfer kubenertes
/sig auth

Decision can be made by sig-auth

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ardaguclu]

/transfer kubernetes/kubernetes

[k8s-ci-robot]

@ardaguclu: Something went wrong or the destination repo kubernetes/kubernetes/kubernetes does not exist.

In response to this:

/transfer kubernetes/kubernetes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ardaguclu]

/transfer kubernetes

[stlaz]

/triage accepted

[ah8ad3]

This will work even without adding verb there, adding verb just removes the warning. Submitted a PR to add that.
/assign