Merge pull request #15 from spreadshirt/rename-kubectl-plugin

Rename kubectl plugin to `kubectl-request`

.gitignore

@@ -1,5 +1,5 @@
 /kube-request-access
-/kubectl-access
+/kubectl-request
 /webhook-auditer
 /webhook-validator
 /.go

.goreleaser.yaml

@@ -2,9 +2,9 @@ before:
   hooks:
     - go mod tidy
 builds:
-  - main: ./cmd/kubectl-access
-    id: kubectl-access
-    binary: kubectl-access
+  - main: ./cmd/kubectl-request
+    id: kubectl-request
+    binary: kubectl-request
     env:
       - CGO_ENABLED=0
     goos:
@@ -16,7 +16,7 @@ archives:
   - format: tar.gz
     # this name template makes the OS and Arch compatible with the results of uname.
     name_template: >-
-      kubectl-access_
+      kubectl-request_
       {{- title .Os }}_
       {{- if eq .Arch "amd64" }}x86_64
       {{- else if eq .Arch "386" }}i386

Makefile

@@ -1,4 +1,7 @@
-all: kube-request-access local-config
+all: kubectl-request kube-request-access local-config
+
+kubectl-request: Makefile .goreleaser.yaml cmd/kubectl-request/*.go
+	goreleaser build --clean --snapshot --single-target -o kubectl-request
 
 kube-request-access: Makefile *.go
 	CGO_ENABLED=0 go build .

README.md

@@ -14,24 +14,24 @@ This project is inspired by the internal `zkubectl cluster-access` [in use at Za
 
 Here's what the workflow looks like in practice:
 
-[![asciicast of `kubectl access` workflow](https://asciinema.org/a/572387.png)](https://asciinema.org/a/572387)
+[![asciicast of `kubectl request` workflow](https://asciinema.org/a/580126.png)](https://asciinema.org/a/580126)
 
 ## Usage
 
 ### For developers
 
-To request exec access in a cluster, install [kubectl-access](https://github.com/spreadshirt/kube-request-access/releases) and then request access as follows:
+To request exec access in a cluster, install [kubectl-request](https://github.com/spreadshirt/kube-request-access/releases) and then request access as follows:
 
 ```
-$ kubectl access request exec --valid-for 1h nginx-7fb96c846b-pcnxl -- cat '/my/app/config/*'
+$ kubectl request exec --valid-for 1h nginx-7fb96c846b-pcnxl -- cat '/my/app/config/*'
 created accessrequest ... (please wait for an admin to grant the permission)
 
 # after the request is granted
 $ kubectl exec nginx-7fb96c846b-pcnxl -- cat '/my/app/config/*'
 ...
 ```
 
-See [`kubectl-access` docs](./cmd/kubectl-access) docs for more details.
+See [`kubectl-request` docs](./cmd/kubectl-request) docs for more details.
 
 ### For operators
 
@@ -67,7 +67,7 @@ flowchart TD
 
 - `kube-request-access` intercepts `AccessRequest`s, `AccessGrant`s and `pods/exec` API calls and decides
   if they are valid
-- developers request access using `kubectl access request` and admins grant it using `kubectl access grant` ([`kubectl-access`](./cmd/kubectl-access) plugin)
+- developers request access using `kubectl request exec` and admins grant it using `kubectl request grant` ([`kubectl-request`](./cmd/kubectl-request) plugin)
 - `kube-request-access` can defer to custom webhooks to implement organization-specific auditing and additional
   validation, e.g. to store auditing information in a database or send notifications to a chat
 

cmd/kubectl-access/README.md → cmd/kubectl-request/README.md

@@ -1,38 +1,38 @@
-# kubectl-access
+# kubectl-request
 
-`kubectl-access` is a kubectl plugin that manages the `AccessRequest` and `AccessGrant` CRDs
+`kubectl-request` is a kubectl plugin that manages the `AccessRequest` and `AccessGrant` CRDs
 which `kube-request-access` uses to grant access to `kubectl exec`.
 
 ## Installation
 
 Download the [latest release](https://github.com/spreadshirt/kube-request-access/releases/latest) and put the
-`kubectl-access` binary somewhere in your `PATH`.
+`kubectl-request` binary somewhere in your `PATH`.
 
-After that you can use it as `kubectl access`.
+After that you can use it as `kubectl request`.
 
 ## Usage
 
-- request access using `kubectl access request exec ...`
+- request access using `kubectl request exec ...`
   - by default, access is requested to run the specified command once
   - you can also request access to run the given command multiple times for a duration using `--valid-for`
 - wait for an admin to grant permissions (or deny them)
 - run the command you requested access for using `kubectl exec` as usual
 
-Here's the full `kubectl access --help` message for reference:
+Here's the full `kubectl request --help` message for reference:
 
 ```
 Request and grant access to `kubectl exec` and friends
 
 Usage:
-  access [command]
+  request [command]
 
 Examples:
 
         # request access
-        kubectl access request exec deployment/nginx ls -l /tmp
+        kubectl request exec deployment/nginx ls -l /tmp
 
         # grant access
-        kubectl access grant <name>
+        kubectl request grant <name>
 
 
 Available Commands:

cmd/kubectl-access/kubectl-access.go → cmd/kubectl-request/kubectl-request.go

@@ -36,14 +36,14 @@ func main() {
 	// pflag.CommandLine = flags
 
 	cmd := &cobra.Command{
-		Use:   "access",
+		Use:   "kubectl-request",
 		Short: "Request and grant access to `kubectl exec` and friends",
 		Example: `
 	# request access
-	kubectl access request exec deployment/nginx ls -l /tmp
+	kubectl request exec deployment/nginx ls -l /tmp
 
 	# grant access
-	kubectl access grant <name>
+	kubectl request grant <name>
 `,
 		Args:    cobra.MinimumNArgs(1),
 		Version: version, // set so that cobra adds the --version flag
@@ -76,13 +76,6 @@ Build date: %s
 	accessCommand.genericOptions = genericclioptions.NewConfigFlags(true)
 	accessCommand.genericOptions.AddFlags(cmd.PersistentFlags())
 
-	requestCmd := &cobra.Command{
-		Use:   "request <cmd> [flags-and-args]",
-		Short: "Request access to `kubectl <cmd>`",
-		Args:  cobra.MinimumNArgs(1),
-	}
-	cmd.AddCommand(requestCmd)
-
 	requestExecCmd := &cobra.Command{
 		Use:          "exec (POD | TYPE/NAME) [-c CONTAINER] [flags] -- [COMMAND] [args...] [options]",
 		Short:        "Request access to execute a command in a container.",
@@ -100,7 +93,7 @@ container to be attached or the first container in the pod will be chosen`)
 	requestExecCmd.Flags().DurationVarP(&accessCommand.validFor, "valid-for", "d", 0, "Amount of the that the access is requested for (command will only be allowed once if not specified)")
 	requestExecCmd.Flags().StringToStringVarP(&accessCommand.customKeys, "custom-key", "k", nil, "Custom key-value pairs to set")
 	requestExecCmd.Flags().StringVarP(&accessCommand.onBehalfOf, "on-behalf-of", "", "", "Username to create the request on behalf of (only for admins)")
-	requestCmd.AddCommand(requestExecCmd)
+	cmd.AddCommand(requestExecCmd)
 
 	grantCmd := &cobra.Command{
 		Use:          "grant REQUEST",

cmd/kubectl-access/update.go → cmd/kubectl-request/update.go

@@ -44,7 +44,7 @@ func getLatestVersion(ctx context.Context) (string, error) {
 		return "", fmt.Errorf("could not get cache dir: %w", err)
 	}
 
-	latestVersionPath := path.Join(cacheDir, "kubectl-access-version.txt")
+	latestVersionPath := path.Join(cacheDir, "kubectl-request-version.txt")
 	fi, err := os.Stat(latestVersionPath)
 	if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		return "", fmt.Errorf("coult not access version file: %w", err)
@@ -64,7 +64,7 @@ func getLatestVersion(ctx context.Context) (string, error) {
 		return "", fmt.Errorf("could not create request: %w", err)
 	}
 
-	req.Header.Set("User-Agent", "kubectl-access / https://github.com/spreadshirt/kube-request-access")
+	req.Header.Set("User-Agent", "kubectl-request / https://github.com/spreadshirt/kube-request-access")
 	req.Header.Set("Accept", "application/vnd.github+json")
 	req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
 

demo.txt → demo.asc

@@ -1,27 +1,34 @@
+#!/bin/bash
+## kube-request-access demo
+
+: kubectl get accessrequests.spreadgroup.com -o name | xargs kubectl delete &> /dev/null || true
+
 # kubectl exec is usually not allowed:
 kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
 
 # let's request access!
-kubectl access --context dev request exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
+kubectl request --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
 
 # pretend we're an admin and grant it
-kubectl access --context admin grant
+kubectl request --context admin grant "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)"
 
 # note execOptions and userInfo above
 
 kubectl --context admin get accessrequests.spreadgroup.com
 kubectl --context admin get accessgrants.spreadgroup.com
 
+: sleep 2 && clear
+
 # now it works!
 kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
 
 # only once by default
 kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
 
 # let's request access for a while
-kubectl access --context dev request exec --valid-for=10m nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
+kubectl request --context dev exec --valid-for=10m nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
 
-kubectl access --context admin grant
+kubectl request --context admin grant "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)"
 
 # note the validFor field
 
@@ -32,10 +39,14 @@ kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
 # but of course only this command
 kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/passwd
 
+: sleep 2 && clear
+
 # admins can revoke access
 kubectl --context admin get accessrequests.spreadgroup.com
-kubectl --context admin delete accessrequests.spreadgroup.com
+kubectl --context admin delete accessrequests.spreadgroup.com "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)"
 
 kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf
 
 # and that's kube-request-access!
+
+: sleep 2