diff --git a/.gitignore b/.gitignore index 5480c43..9dab837 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ /kube-request-access -/kubectl-access +/kubectl-request /webhook-auditer /webhook-validator /.go diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 2d6118a..e8bb2dc 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -2,9 +2,9 @@ before: hooks: - go mod tidy builds: - - main: ./cmd/kubectl-access - id: kubectl-access - binary: kubectl-access + - main: ./cmd/kubectl-request + id: kubectl-request + binary: kubectl-request env: - CGO_ENABLED=0 goos: @@ -16,7 +16,7 @@ archives: - format: tar.gz # this name template makes the OS and Arch compatible with the results of uname. name_template: >- - kubectl-access_ + kubectl-request_ {{- title .Os }}_ {{- if eq .Arch "amd64" }}x86_64 {{- else if eq .Arch "386" }}i386 diff --git a/Makefile b/Makefile index d8d0552..f352099 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,7 @@ -all: kube-request-access local-config +all: kubectl-request kube-request-access local-config + +kubectl-request: Makefile .goreleaser.yaml cmd/kubectl-request/*.go + goreleaser build --clean --snapshot --single-target -o kubectl-request kube-request-access: Makefile *.go CGO_ENABLED=0 go build . diff --git a/README.md b/README.md index bf7d1fa..d69ed19 100644 --- a/README.md +++ b/README.md @@ -14,16 +14,16 @@ This project is inspired by the internal `zkubectl cluster-access` [in use at Za Here's what the workflow looks like in practice: -[![asciicast of `kubectl access` workflow](https://asciinema.org/a/572387.png)](https://asciinema.org/a/572387) +[![asciicast of `kubectl request` workflow](https://asciinema.org/a/580126.png)](https://asciinema.org/a/580126) ## Usage ### For developers -To request exec access in a cluster, install [kubectl-access](https://github.com/spreadshirt/kube-request-access/releases) and then request access as follows: +To request exec access in a cluster, install [kubectl-request](https://github.com/spreadshirt/kube-request-access/releases) and then request access as follows: ``` -$ kubectl access request exec --valid-for 1h nginx-7fb96c846b-pcnxl -- cat '/my/app/config/*' +$ kubectl request exec --valid-for 1h nginx-7fb96c846b-pcnxl -- cat '/my/app/config/*' created accessrequest ... (please wait for an admin to grant the permission) # after the request is granted @@ -31,7 +31,7 @@ $ kubectl exec nginx-7fb96c846b-pcnxl -- cat '/my/app/config/*' ... ``` -See [`kubectl-access` docs](./cmd/kubectl-access) docs for more details. +See [`kubectl-request` docs](./cmd/kubectl-request) docs for more details. ### For operators @@ -67,7 +67,7 @@ flowchart TD - `kube-request-access` intercepts `AccessRequest`s, `AccessGrant`s and `pods/exec` API calls and decides if they are valid -- developers request access using `kubectl access request` and admins grant it using `kubectl access grant` ([`kubectl-access`](./cmd/kubectl-access) plugin) +- developers request access using `kubectl request exec` and admins grant it using `kubectl request grant` ([`kubectl-request`](./cmd/kubectl-request) plugin) - `kube-request-access` can defer to custom webhooks to implement organization-specific auditing and additional validation, e.g. to store auditing information in a database or send notifications to a chat diff --git a/cmd/kubectl-access/README.md b/cmd/kubectl-request/README.md similarity index 86% rename from cmd/kubectl-access/README.md rename to cmd/kubectl-request/README.md index 5c4aa38..d4ce919 100644 --- a/cmd/kubectl-access/README.md +++ b/cmd/kubectl-request/README.md @@ -1,38 +1,38 @@ -# kubectl-access +# kubectl-request -`kubectl-access` is a kubectl plugin that manages the `AccessRequest` and `AccessGrant` CRDs +`kubectl-request` is a kubectl plugin that manages the `AccessRequest` and `AccessGrant` CRDs which `kube-request-access` uses to grant access to `kubectl exec`. ## Installation Download the [latest release](https://github.com/spreadshirt/kube-request-access/releases/latest) and put the -`kubectl-access` binary somewhere in your `PATH`. +`kubectl-request` binary somewhere in your `PATH`. -After that you can use it as `kubectl access`. +After that you can use it as `kubectl request`. ## Usage -- request access using `kubectl access request exec ...` +- request access using `kubectl request exec ...` - by default, access is requested to run the specified command once - you can also request access to run the given command multiple times for a duration using `--valid-for` - wait for an admin to grant permissions (or deny them) - run the command you requested access for using `kubectl exec` as usual -Here's the full `kubectl access --help` message for reference: +Here's the full `kubectl request --help` message for reference: ``` Request and grant access to `kubectl exec` and friends Usage: - access [command] + request [command] Examples: # request access - kubectl access request exec deployment/nginx ls -l /tmp + kubectl request exec deployment/nginx ls -l /tmp # grant access - kubectl access grant + kubectl request grant Available Commands: diff --git a/cmd/kubectl-access/kubectl-access.go b/cmd/kubectl-request/kubectl-request.go similarity index 97% rename from cmd/kubectl-access/kubectl-access.go rename to cmd/kubectl-request/kubectl-request.go index 83dcb1f..c9667ed 100644 --- a/cmd/kubectl-access/kubectl-access.go +++ b/cmd/kubectl-request/kubectl-request.go @@ -36,14 +36,14 @@ func main() { // pflag.CommandLine = flags cmd := &cobra.Command{ - Use: "access", + Use: "kubectl-request", Short: "Request and grant access to `kubectl exec` and friends", Example: ` # request access - kubectl access request exec deployment/nginx ls -l /tmp + kubectl request exec deployment/nginx ls -l /tmp # grant access - kubectl access grant + kubectl request grant `, Args: cobra.MinimumNArgs(1), Version: version, // set so that cobra adds the --version flag @@ -76,13 +76,6 @@ Build date: %s accessCommand.genericOptions = genericclioptions.NewConfigFlags(true) accessCommand.genericOptions.AddFlags(cmd.PersistentFlags()) - requestCmd := &cobra.Command{ - Use: "request [flags-and-args]", - Short: "Request access to `kubectl `", - Args: cobra.MinimumNArgs(1), - } - cmd.AddCommand(requestCmd) - requestExecCmd := &cobra.Command{ Use: "exec (POD | TYPE/NAME) [-c CONTAINER] [flags] -- [COMMAND] [args...] [options]", Short: "Request access to execute a command in a container.", @@ -100,7 +93,7 @@ container to be attached or the first container in the pod will be chosen`) requestExecCmd.Flags().DurationVarP(&accessCommand.validFor, "valid-for", "d", 0, "Amount of the that the access is requested for (command will only be allowed once if not specified)") requestExecCmd.Flags().StringToStringVarP(&accessCommand.customKeys, "custom-key", "k", nil, "Custom key-value pairs to set") requestExecCmd.Flags().StringVarP(&accessCommand.onBehalfOf, "on-behalf-of", "", "", "Username to create the request on behalf of (only for admins)") - requestCmd.AddCommand(requestExecCmd) + cmd.AddCommand(requestExecCmd) grantCmd := &cobra.Command{ Use: "grant REQUEST", diff --git a/cmd/kubectl-access/update.go b/cmd/kubectl-request/update.go similarity index 93% rename from cmd/kubectl-access/update.go rename to cmd/kubectl-request/update.go index 8fa1745..c875c79 100644 --- a/cmd/kubectl-access/update.go +++ b/cmd/kubectl-request/update.go @@ -44,7 +44,7 @@ func getLatestVersion(ctx context.Context) (string, error) { return "", fmt.Errorf("could not get cache dir: %w", err) } - latestVersionPath := path.Join(cacheDir, "kubectl-access-version.txt") + latestVersionPath := path.Join(cacheDir, "kubectl-request-version.txt") fi, err := os.Stat(latestVersionPath) if err != nil && !errors.Is(err, fs.ErrNotExist) { return "", fmt.Errorf("coult not access version file: %w", err) @@ -64,7 +64,7 @@ func getLatestVersion(ctx context.Context) (string, error) { return "", fmt.Errorf("could not create request: %w", err) } - req.Header.Set("User-Agent", "kubectl-access / https://github.com/spreadshirt/kube-request-access") + req.Header.Set("User-Agent", "kubectl-request / https://github.com/spreadshirt/kube-request-access") req.Header.Set("Accept", "application/vnd.github+json") req.Header.Set("X-GitHub-Api-Version", "2022-11-28") diff --git a/demo.txt b/demo.asc old mode 100644 new mode 100755 similarity index 59% rename from demo.txt rename to demo.asc index 1ba6501..1250ec0 --- a/demo.txt +++ b/demo.asc @@ -1,17 +1,24 @@ +#!/bin/bash +## kube-request-access demo + +: kubectl get accessrequests.spreadgroup.com -o name | xargs kubectl delete &> /dev/null || true + # kubectl exec is usually not allowed: kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf # let's request access! -kubectl access --context dev request exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf +kubectl request --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf # pretend we're an admin and grant it -kubectl access --context admin grant +kubectl request --context admin grant "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)" # note execOptions and userInfo above kubectl --context admin get accessrequests.spreadgroup.com kubectl --context admin get accessgrants.spreadgroup.com +: sleep 2 && clear + # now it works! kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf @@ -19,9 +26,9 @@ kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf # let's request access for a while -kubectl access --context dev request exec --valid-for=10m nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf +kubectl request --context dev exec --valid-for=10m nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf -kubectl access --context admin grant +kubectl request --context admin grant "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)" # note the validFor field @@ -32,10 +39,14 @@ kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf # but of course only this command kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/passwd +: sleep 2 && clear + # admins can revoke access kubectl --context admin get accessrequests.spreadgroup.com -kubectl --context admin delete accessrequests.spreadgroup.com +kubectl --context admin delete accessrequests.spreadgroup.com "$(kubectl get accessrequests.spreadgroup.com -o name | cut -d/ -f2 | tail -n1)" kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf # and that's kube-request-access! + +: sleep 2 diff --git a/demo.cast b/demo.cast index bf94423..84833de 100644 --- a/demo.cast +++ b/demo.cast @@ -1,217 +1,1361 @@ -{"version": 2, "width": 154, "height": 39, "timestamp": 1680185363, "idle_time_limit": 1.0, "env": {"SHELL": "/bin/zsh", "TERM": "screen-256color"}, "title": "kube-request-access-demo"} -[0.017948, "o", "\u0007\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[0.018443, "o", "\u001b[?2004h$ "] -[1.141856, "o", "\u001b[H\u001b[J$ "] -[5.419244, "o", "\u001b[3m# kubectl exec is usually not allowed:\u001b[23m"] -[5.957722, "o", "\r\u001b[C\u001b[C# kubectl exec is usually not allowed:\r\n"] -[5.957747, "o", "\u001b[?2004l\r"] -[5.95785, "o", "\u0007"] -[5.957879, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[5.957901, "o", "\u001b[?2004h$ "] -[10.926716, "o", "\u001b[3mkubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[11.541911, "o", "\r\u001b[C\u001b[Ckubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[11.59991, "o", "Error from server (Forbidden): pods \"nginx-7fb96c846b-pcnxl\" is forbidden: User \"dev\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\"\r\n"] -[11.601308, "o", "\u0007"] -[11.60137, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[13.582164, "o", "\r\n\u001b[?2004l\r"] -[13.582292, "o", "\u0007"] -[13.582322, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[13.58235, "o", "\u001b[?2004h"] -[13.58237, "o", "$ "] -[13.909793, "o", "\r\n\u001b[?2004l\r"] -[13.909952, "o", "\u0007"] -[13.910014, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h"] -[13.910043, "o", "$ "] -[17.560425, "o", "\u001b[3m# let's request access!\u001b[23m"] -[18.207017, "o", "\r\u001b[C\u001b[C# let's request access!\r\n\u001b[?2004l\r"] -[18.207193, "o", "\u0007"] -[18.20721, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[18.20727, "o", "\u001b[?2004h$ "] -[23.823848, "o", "\u001b[3mkubectl access --context dev request exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[24.622661, "o", "\r\u001b[C\u001b[Ckubectl access --context dev request exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[24.682021, "o", "created accessrequest access-exec-dev-sbdmw (please wait for an admin to grant the permission)\r\n"] -[24.683479, "o", "\u0007"] -[24.683534, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[36.806767, "o", "\r\n\u001b[?2004l\r"] -[36.806934, "o", "\u0007"] -[36.806981, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[36.807013, "o", "\u001b[?2004h$ "] -[37.014763, "o", "\r\n\u001b[?2004l\r"] -[37.014997, "o", "\u0007\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[37.015079, "o", "\u001b[?2004h$ "] -[37.548255, "o", "\u001b[3m# pretend we're an admin and grant it\u001b[23m"] -[37.998946, "o", "\r\u001b[C\u001b[C# pretend we're an admin and grant it\r\n\u001b[?2004l\r"] -[37.999084, "o", "\u0007"] -[37.999123, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[37.999172, "o", "\u001b[?2004h$ "] -[42.655405, "o", "\u001b[3mkubectl access --context admin grant\u001b[23m"] -[43.038744, "o", "\r\u001b[C\u001b[Ckubectl access --context admin grant "] -[44.588672, "o", "\u001b[3maccess-exec-dev-sbdmw\u001b[23m"] -[45.526981, "o", "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\baccess-exec-dev-sbdmw\r\n\u001b[?2004l\r"] -[45.574738, "o", "apiVersion: spreadgroup.com/v1\r\nkind: AccessRequest\r\nmetadata:\r\n creationTimestamp: \"2023-03-30T14:09:48Z\"\r\n generateName: access-exec-dev-\r\n generation: 1\r\n labels:\r\n username: dev\r\n managedFields:\r\n - apiVersion: spreadgroup.com/v1\r\n fieldsType: FieldsV1\r\n fieldsV1:\r\n f:metadata:\r\n f:generateName: {}\r\n f:labels:\r\n .: {}\r\n f:username: {}\r\n f:spec:\r\n .: {}\r\n f:execOptions:\r\n .: {}\r\n f:apiVersion: {}\r\n f:command: {}\r\n f:container: {}\r\n f:kind: {}\r\n f:stderr: {}\r\n f:stdout: {}\r\n f:forObject:\r\n .: {}\r\n f:name: {}\r\n f:namespace: {}\r\n f:resource:\r\n .: {}\r\n f:group: {}\r\n f:resource: {}\r\n f:version: {}\r\n f:subResource: {}\r\n f:userInfo:\r\n .: {}\r\n f:username: {}\r\n manager: kubectl-access\r\n operation: Update\r\n time: \"2023-03-30T14:09:48Z\"\r\n name: access-exec-"] -[45.574851, "o", "dev-sbdmw\r\n namespace: default\r\n resourceVersion: \"61805\"\r\n uid: 789b0b26-fcbe-4912-9ee0-0db5267681c4\r\nspec:\r\n customKeys: null\r\n execOptions:\r\n apiVersion: v1\r\n command:\r\n - cat\r\n - /etc/nginx/nginx.conf\r\n container: nginx\r\n kind: PodExecOptions\r\n stderr: true\r\n stdout: true\r\n forObject:\r\n name: nginx-7fb96c846b-pcnxl\r\n namespace: default\r\n resource:\r\n group: \"\"\r\n resource: pods\r\n version: v1\r\n subResource: exec\r\n userInfo:\r\n username: dev\r\nGrant access to the request above ([yN])? "] -[46.966048, "o", "y"] -[47.310905, "o", "\r\n"] -[47.334146, "o", "created grant grant-access-exec-dev-sbdmw\r\n"] -[47.336144, "o", "\u0007"] -[47.336198, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h"] -[47.336206, "o", "$ "] -[51.371121, "o", "\u001b[3m# note execOptions and userInfo above\u001b[23m"] -[51.950993, "o", "\r\u001b[C\u001b[C# note execOptions and userInfo above\r\n\u001b[?2004l\r"] -[51.951301, "o", "\u0007"] -[51.951337, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[51.95147, "o", "\u001b[?2004h$ "] -[58.561154, "o", "\u001b[3mkubectl --context admin get accessrequests.spreadgroup.com\u001b[23m"] -[58.878208, "o", "\r\u001b[C\u001b[Ckubectl --context admin get accessrequests.spreadgroup.com\r\n\u001b[?2004l\r"] -[58.92776, "o", "NAME USER FOR COMMAND DURATION\r\naccess-exec-dev-sbdmw dev nginx-7fb96c846b-pcnxl [\"cat\",\"/etc/nginx/nginx.conf\"] \r\n"] -[58.929232, "o", "\u0007"] -[58.929288, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[64.013227, "o", "\u001b[3mkubectl --context admin get accessgrants.spreadgroup.com\u001b[23m"] -[64.454744, "o", "\r\u001b[C\u001b[Ckubectl --context admin get accessgrants.spreadgroup.com\r\n\u001b[?2004l\r"] -[64.504549, "o", "NAME REQUEST GRANTED BY STATUS AGE\r\ngrant-access-exec-dev-sbdmw access-exec-dev-sbdmw admin@k3d-k3s-default granted 17s\r\n"] -[64.505883, "o", "\u0007"] -[64.50594, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[64.505963, "o", "\u001b[?2004h$ "] -[69.742921, "o", "\u001b[H\u001b[J$ "] -[73.812234, "o", "\u001b[3m# now it works!\u001b[23m"] -[74.142999, "o", "\r\u001b[C\u001b[C# now it works!\r\n\u001b[?2004l\r"] -[74.143317, "o", "\u0007"] -[74.143411, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h"] -[74.143435, "o", "$ "] -[77.583343, "o", "\u001b[3mkubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[78.278294, "o", "\r\u001b[C\u001b[Ckubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[78.403461, "o", "\r\nuser nginx;\r\nworker_processes 1;\r\n\r\nerror_log /var/log/nginx/error.log warn;\r\npid /var/run/nginx.pid;\r\n\r\n\r\nevents {\r\n worker_connections 1024;\r\n}\r\n\r\n\r\nhttp {\r\n include /etc/nginx/mime.types;\r\n default_type application/octet-stream;\r\n\r\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\r\n '$status $body_bytes_sent \"$http_referer\" '\r\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\r\n\r\n access_log /var/log/nginx/access.log main;\r\n\r\n sendfile on;\r\n #tcp_nopush on;\r\n\r\n keepalive_timeout 65;\r\n\r\n #gzip on;\r\n\r\n include /etc/nginx/conf.d/*.conf;\r\n}\r\n"] -[78.406557, "o", "\u0007"] -[78.406629, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[84.01504, "o", "\r\n\u001b[?2004l\r"] -[84.015288, "o", "\u0007\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[84.015307, "o", "\u001b[?2004h"] -[84.015317, "o", "$ "] -[84.215369, "o", "\r\n\u001b[?2004l\r"] -[84.21556, "o", "\u0007"] -[84.215594, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[84.215617, "o", "\u001b[?2004h"] -[84.215637, "o", "$ "] -[84.86627, "o", "\u001b[3m# only once by default\u001b[23m"] -[85.279038, "o", "\r\u001b[C\u001b[C# only once by default\r\n\u001b[?2004l\r"] -[85.279189, "o", "\u0007"] -[85.279207, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[85.279266, "o", "\u001b[?2004h$ "] -[92.74434, "o", "\u001b[3mkubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[93.487317, "o", "\r\u001b[C\u001b[Ckubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[93.527389, "o", "Error from server (Forbidden): pods \"nginx-7fb96c846b-pcnxl\" is forbidden: User \"dev\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\"\r\n"] -[93.528975, "o", "\u0007"] -[93.529033, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h"] -[93.529058, "o", "$ "] -[96.343041, "o", "\u001b[H\u001b[J$ "] -[100.64338, "o", "\u001b[3m# let's request access for a while\u001b[23m"] -[101.223443, "o", "\r\u001b[C\u001b[C# let's request access for a while\r\n\u001b[?2004l\r"] -[101.223646, "o", "\u0007"] -[101.223714, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[106.165444, "o", "\u001b[3mkubectl access --context dev request exec --valid-for=10m nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[106.847206, "o", "\r\u001b[C\u001b[Ckubectl access --context dev request exec --valid-for=10m nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[106.898403, "o", "created accessrequest access-exec-dev-ddgbh (please wait for an admin to grant the permission)\r\n"] -[106.900422, "o", "\u0007"] -[106.900473, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[106.900499, "o", "\u001b[?2004h$ "] -[112.391364, "o", "\r\n\u001b[?2004l\r"] -[112.391687, "o", "\u0007"] -[112.391779, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[112.391831, "o", "\u001b[?2004h$ "] -[112.559406, "o", "\r\n\u001b[?2004l\r"] -[112.559565, "o", "\u0007"] -[112.559595, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[112.559609, "o", "\u001b[?2004h$ "] -[113.244913, "o", "\u001b[3mkubectl access --context admin grant\u001b[23m"] -[113.631392, "o", "\r\u001b[C\u001b[Ckubectl access --context admin grant "] -[115.68311, "o", "\u001b[3maccess-exec-dev-ddgbh\u001b[23m"] -[116.255475, "o", "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\baccess-exec-dev-ddgbh\r\n\u001b[?2004l\r"] -[116.30478, "o", "apiVersion: spreadgroup.com/v1\r\nkind: AccessRequest\r\nmetadata:\r\n creationTimestamp: \"2023-03-30T14:11:10Z\"\r\n generateName: access-exec-dev-\r\n generation: 1\r\n labels:\r\n username: dev\r\n managedFields:\r\n - apiVersion: spreadgroup.com/v1\r\n fieldsType: FieldsV1\r\n fieldsV1:\r\n f:metadata:\r\n f:generateName: {}\r\n f:labels:\r\n .: {}\r\n f:username: {}\r\n f:spec:\r\n .: {}\r\n f:execOptions:\r\n .: {}\r\n f:apiVersion: {}\r\n f:command: {}\r\n f:container: {}\r\n f:kind: {}\r\n f:stderr: {}\r\n f:stdout: {}\r\n f:forObject:\r\n .: {}\r\n f:name: {}\r\n f:namespace: {}\r\n f:resource:\r\n .: {}\r\n f:group: {}\r\n f:resource: {}\r\n f:version: {}\r\n f:subResource: {}\r\n f:userInfo:\r\n .: {}\r\n f:username: {}\r\n f:validFor: {}\r\n manager: kubectl-access\r\n operation: Update\r\n time: \"2023-03-30T14:11:10"] -[116.304878, "o", "Z\"\r\n name: access-exec-dev-ddgbh\r\n namespace: default\r\n resourceVersion: \"61827\"\r\n uid: 8e1ec300-71a4-4ca5-889d-9614ad042980\r\nspec:\r\n customKeys: null\r\n execOptions:\r\n apiVersion: v1\r\n command:\r\n - cat\r\n - /etc/nginx/nginx.conf\r\n container: nginx\r\n kind: PodExecOptions\r\n stderr: true\r\n stdout: true\r\n forObject:\r\n name: nginx-7fb96c846b-pcnxl\r\n namespace: default\r\n resource:\r\n group: \"\"\r\n resource: pods\r\n version: v1\r\n subResource: exec\r\n userInfo:\r\n username: dev\r\n validFor: 10m0s\r\nGrant access to the request above ([yN])? "] -[117.606873, "o", "y"] -[118.014632, "o", "\r\n"] -[118.028923, "o", "created grant grant-access-exec-dev-ddgbh\r\n"] -[118.030566, "o", "\u0007"] -[118.030611, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h"] -[118.030632, "o", "$ "] -[123.044076, "o", "\u001b[3m# note the validFor field\u001b[23m"] -[123.695046, "o", "\r\u001b[C\u001b[C# note the validFor field\r\n\u001b[?2004l\r"] -[123.695385, "o", "\u0007"] -[123.69549, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[123.695584, "o", "\u001b[?2004h$ "] -[129.463575, "o", "\u001b[H\u001b[J$ "] -[130.434746, "o", "\u001b[3m# now we can run it multiple times\u001b[23m"] -[130.93528, "o", "\r\u001b[C\u001b[C# now we can run it multiple times\r\n\u001b[?2004l\r"] -[130.93561, "o", "\u0007"] -[130.935671, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[130.935694, "o", "\u001b[?2004h"] -[130.935701, "o", "$ "] -[135.169504, "o", "\u001b[3mkubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[135.711293, "o", "\r\u001b[C\u001b[Ckubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[135.849909, "o", "\r\nuser nginx;\r\nworker_processes 1;\r\n\r\nerror_log /var/log/nginx/error.log warn;\r\npid /var/run/nginx.pid;\r\n\r\n\r\nevents {\r\n worker_connections 1024;\r\n}\r\n\r\n\r\nhttp {\r\n include /etc/nginx/mime.types;\r\n default_type application/octet-stream;\r\n\r\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\r\n '$status $body_bytes_sent \"$http_referer\" '\r\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\r\n\r\n access_log /var/log/nginx/access.log main;\r\n\r\n sendfile on;\r\n #tcp_nopush on;\r\n\r\n keepalive_timeout 65;\r\n\r\n #gzip on;\r\n\r\n include /etc/nginx/conf.d/*.conf;\r\n}\r\n"] -[135.852171, "o", "\u0007"] -[135.852275, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[139.766078, "o", "\u001b[3mkubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[140.40745, "o", "\r\u001b[C\u001b[Ckubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[140.535983, "o", "\r\nuser nginx;\r\nworker_processes 1;\r\n\r\nerror_log /var/log/nginx/error.log warn;\r\npid /var/run/nginx.pid;\r\n\r\n\r\nevents {\r\n worker_connections 1024;\r\n}\r\n\r\n\r\nhttp {\r\n include /etc/nginx/mime.types;\r\n default_type application/octet-stream;\r\n\r\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\r\n '$status $body_bytes_sent \"$http_referer\" '\r\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\r\n\r\n access_log /var/log/nginx/access.log main;\r\n\r\n sendfile on;\r\n #tcp_nopush on;\r\n\r\n keepalive_timeout 65;\r\n\r\n #gzip on;\r\n\r\n include /etc/nginx/conf.d/*.conf;\r\n}\r\n"] -[140.53864, "o", "\u0007"] -[140.538708, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[147.999184, "o", "\u001b[H\u001b[J$ "] -[148.439928, "o", "\u001b[3m# but of course only this command\u001b[23m"] -[148.791427, "o", "\r\u001b[C\u001b[C# but of course only this command\r\n\u001b[?2004l\r"] -[148.791605, "o", "\u0007"] -[148.791663, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h"] -[148.791696, "o", "$ "] -[153.027691, "o", "\u001b[3mkubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/passwd\u001b[23m"] -[153.751538, "o", "\r\u001b[C\u001b[Ckubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/passwd\r\n\u001b[?2004l\r"] -[153.794608, "o", "Error from server: admission webhook \"kube-request-access.default.svc\" denied the request without explanation\r\n"] -[153.796387, "o", "\u0007"] -[153.796442, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[155.96759, "o", "\u001b[H\u001b[J$ "] -[160.478826, "o", "\u001b[3m# admins can revoke access\u001b[23m"] -[161.222801, "o", "\r\u001b[C\u001b[C# admins can revoke access\r\n\u001b[?2004l\r"] -[161.222947, "o", "\u0007"] -[161.222962, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[161.223033, "o", "\u001b[?2004h$ "] -[165.51533, "o", "\u001b[3mkubectl --context admin get accessrequests.spreadgroup.com\u001b[23m"] -[166.127376, "o", "\r\u001b[C\u001b[Ckubectl --context admin get accessrequests.spreadgroup.com\\"] -[166.134909, "o", "\r\n\u001b[?2004l\r"] -[166.134945, "o", "\u001b[?2004h> "] -[167.175544, "o", "\r\n\u001b[?2004l\r"] -[167.224282, "o", "NAME USER FOR COMMAND DURATION\r\naccess-exec-dev-ddgbh dev nginx-7fb96c846b-pcnxl [\"cat\",\"/etc/nginx/nginx.conf\"] 10m0s\r\n"] -[167.225901, "o", "\u0007"] -[167.225936, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[167.225952, "o", "\u001b[?2004h$ "] -[172.348488, "o", "\u001b[3mkubectl --context admin delete accessrequests.spreadgroup.com\u001b[23m"] -[172.743499, "o", "\r\u001b[C\u001b[Ckubectl --context admin delete accessrequests.spreadgroup.com "] -[174.753997, "o", "\u001b[3maccess-exec-dev-ddgbh\u001b[23m"] -[175.527674, "o", "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\baccess-exec-dev-ddgbh\r\n\u001b[?2004l\r"] -[175.577438, "o", "accessrequest.spreadgroup.com \"access-exec-dev-ddgbh\" deleted\r\n"] -[175.58153, "o", "\u0007"] -[175.581653, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[181.68678, "o", "\r\n\u001b[?2004l\r"] -[181.686934, "o", "\u0007\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[181.68702, "o", "\u001b[?2004h"] -[181.687055, "o", "$ "] -[181.847376, "o", "\r\n\u001b[?2004l\r"] -[181.847621, "o", "\u0007"] -[181.847749, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[182.595167, "o", "\u001b[3mkubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\u001b[23m"] -[183.215814, "o", "\r\u001b[C\u001b[Ckubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf\r\n\u001b[?2004l\r"] -[183.252877, "o", "Error from server (Forbidden): pods \"nginx-7fb96c846b-pcnxl\" is forbidden: User \"dev\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\"\r\n"] -[183.254347, "o", "\u0007"] -[183.254412, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[184.055392, "o", "K"] -[184.807306, "o", "\b\u001b[K"] -[185.271714, "o", "kubectl --context dev exec nginx-7fb96c846b-pcnxl -- cat /etc/nginx/nginx.conf"] -[185.655507, "o", "\r\n\u001b[?2004l\r"] -[185.695388, "o", "Error from server (Forbidden): pods \"nginx-7fb96c846b-pcnxl\" is forbidden: User \"dev\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\"\r\n"] -[185.697279, "o", "\u0007"] -[185.697333, "o", "\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\\u001b[?2004h$ "] -[193.399652, "o", "\u001b[H\u001b[J$ "] -[193.968691, "o", "\u001b[3m# and that's kube-request-access!\u001b[23m"] -[194.655019, "o", "\r\u001b[C\u001b[C# and that's kube-request-access!\r\n\u001b[?2004l\r"] -[194.655184, "o", "\u0007\u001b_luna@metaphya:~/projects/kube-request-access\u001b\\"] -[194.655257, "o", "\u001b[?2004h$ "] -[198.959659, "o", "\u001b[?2004l\r\r\n"] -[198.959877, "o", "logout\r\n"] +{"version": 2, "width": 147, "height": 43, "timestamp": 1682342771, "idle_time_limit": 1.0, "env": {"SHELL": "/bin/zsh", "TERM": "screen-256color"}, "title": "demo.asc"} +[0.005392, "o", "🎥 \u001b[32;3mBegin recording - \u001b[1mdemo.asc\u001b[0m\r\n"] +[0.006487, "o", "💭 \u001b[3;1m#kube-request-access demo\u001b[0m\r\n\r\n"] +[0.086351, "o", "\r\n"] +[0.087401, "o", "💭 \u001b[3;1mkubectl exec is usually not allowed:\u001b[0m\r\n"] +[0.087445, "o", "\u001b[32;1m❯\u001b[0m "] +[1.089319, "o", "k"] +[1.091495, "o", "u"] +[1.093184, "o", "b"] +[1.094798, "o", "e"] +[1.096549, "o", "c"] +[1.098212, "o", "t"] +[1.099775, "o", "l"] +[1.101463, "o", " "] +[1.103043, "o", "-"] +[1.104862, "o", "-"] +[1.106528, "o", "c"] +[1.108036, "o", "o"] +[1.109488, "o", "n"] +[1.11101, "o", "t"] +[1.112625, "o", "e"] +[1.114175, "o", "x"] +[1.115632, "o", "t"] +[1.117222, "o", " "] +[1.118727, "o", "d"] +[1.120198, "o", "e"] +[1.121698, "o", "v"] +[1.123246, "o", " "] +[1.12485, "o", "e"] +[1.126326, "o", "x"] +[1.12781, "o", "e"] +[1.129371, "o", "c"] +[1.130761, "o", " "] +[1.132191, "o", "n"] +[1.133675, "o", "g"] +[1.135159, "o", "i"] +[1.136607, "o", "n"] +[1.138098, "o", "x"] +[1.139557, "o", "-"] +[1.140998, "o", "7"] +[1.142461, "o", "f"] +[1.1439, "o", "b"] +[1.145464, "o", "9"] +[1.146904, "o", "6"] +[1.148427, "o", "c"] +[1.149877, "o", "8"] +[1.151401, "o", "4"] +[1.152845, "o", "6"] +[1.154336, "o", "b"] +[1.155786, "o", "-"] +[1.157259, "o", "p"] +[1.158739, "o", "c"] +[1.160287, "o", "n"] +[1.161744, "o", "x"] +[1.163238, "o", "l"] +[1.164749, "o", " "] +[1.166263, "o", "-"] +[1.167729, "o", "-"] +[1.169267, "o", " "] +[1.17071, "o", "c"] +[1.172149, "o", "a"] +[1.173971, "o", "t"] +[1.17553, "o", " "] +[1.177035, "o", "/"] +[1.178615, "o", "e"] +[1.18011, "o", "t"] +[1.181726, "o", "c"] +[1.183289, "o", "/"] +[1.184724, "o", "n"] +[1.186257, "o", "g"] +[1.187757, "o", "i"] +[1.189252, "o", "n"] +[1.190939, "o", "x"] +[1.192378, "o", "/"] +[1.193875, "o", "n"] +[1.195362, "o", "g"] +[1.196869, "o", "i"] +[1.198359, "o", "n"] +[1.199821, "o", "x"] +[1.201269, "o", "."] +[1.2027, "o", "c"] +[1.204304, "o", "o"] +[1.205771, "o", "n"] +[1.207361, "o", "f"] +[2.209761, "o", "\u001b[0m\r\n"] +[2.249318, "o", "Error from server (Forbidden): pods \"nginx-7fb96c846b-pcnxl\" is forbidden: User \"dev\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\"\r\n"] +[2.250855, "o", "\r\n"] +[2.251826, "o", "💭 \u001b[3;1mlet's request access!\u001b[0m\r\n"] +[2.251873, "o", "\u001b[32;1m❯\u001b[0m "] +[3.25397, "o", "k"] +[3.255752, "o", "u"] +[3.257431, "o", "b"] +[3.25894, "o", "e"] +[3.260453, "o", "c"] +[3.262011, "o", "t"] +[3.263674, "o", "l"] +[3.265294, "o", " "] +[3.266884, "o", "r"] +[3.268401, "o", "e"] +[3.269917, "o", "q"] +[3.271543, "o", "u"] +[3.273021, "o", "e"] +[3.27515, "o", "s"] +[3.276755, "o", "t"] +[3.278271, "o", " "] +[3.279798, "o", "-"] +[3.281328, "o", "-"] +[3.282851, "o", "c"] +[3.284419, "o", "o"] +[3.285956, "o", "n"] +[3.287524, "o", "t"] +[3.289006, "o", "e"] +[3.290848, "o", "x"] +[3.292531, "o", "t"] +[3.294239, "o", " "] +[3.295743, "o", "d"] +[3.297389, "o", "e"] +[3.298885, "o", "v"] +[3.300408, "o", " "] +[3.301864, "o", "e"] +[3.30338, "o", "x"] +[3.304909, "o", "e"] +[3.30638, "o", "c"] +[3.308102, "o", " "] +[3.30967, "o", "n"] +[3.311212, "o", "g"] +[3.312768, "o", "i"] +[3.314322, "o", "n"] +[3.315834, "o", "x"] +[3.3174, "o", "-"] +[3.318974, "o", "7"] +[3.320537, "o", "f"] +[3.322019, "o", "b"] +[3.32359, "o", "9"] +[3.325152, "o", "6"] +[3.326776, "o", "c"] +[3.32839, "o", "8"] +[3.329891, "o", "4"] +[3.33144, "o", "6"] +[3.332945, "o", "b"] +[3.334507, "o", "-"] +[3.336013, "o", "p"] +[3.337528, "o", "c"] +[3.338999, "o", "n"] +[3.340596, "o", "x"] +[3.342304, "o", "l"] +[3.343976, "o", " "] +[3.345639, "o", "-"] +[3.347161, "o", "-"] +[3.34881, "o", " "] +[3.350377, "o", "c"] +[3.351893, "o", "a"] +[3.35342, "o", "t"] +[3.354885, "o", " "] +[3.356421, "o", "/"] +[3.357857, "o", "e"] +[3.359433, "o", "t"] +[3.361097, "o", "c"] +[3.36272, "o", "/"] +[3.364202, "o", "n"] +[3.365803, "o", "g"] +[3.36735, "o", "i"] +[3.368915, "o", "n"] +[3.370447, "o", "x"] +[3.371917, "o", "/"] +[3.373463, "o", "n"] +[3.374981, "o", "g"] +[3.376516, "o", "i"] +[3.378011, "o", "n"] +[3.379506, "o", "x"] +[3.381106, "o", "."] +[3.382635, "o", "c"] +[3.384119, "o", "o"] +[3.385649, "o", "n"] +[3.387127, "o", "f"] +[4.389695, "o", "\u001b[0m\r\n"] +[4.446293, "o", "created accessrequest access-exec-dev-r2nn6 (please wait for an admin to grant the permission)\r\n"] +[4.447477, "o", "\r\n"] +[4.448521, "o", "💭 \u001b[3;1mpretend we're an admin and grant it\u001b[0m\r\n"] +[4.44859, "o", "\u001b[32;1m❯\u001b[0m "] +[5.450162, "o", "k"] +[5.451834, "o", "u"] +[5.45337, "o", "b"] +[5.454926, "o", "e"] +[5.456424, "o", "c"] +[5.457903, "o", "t"] +[5.459425, "o", "l"] +[5.461003, "o", " "] +[5.462549, "o", "r"] +[5.464045, "o", "e"] +[5.465619, "o", "q"] +[5.467052, "o", "u"] +[5.468563, "o", "e"] +[5.470078, "o", "s"] +[5.471634, "o", "t"] +[5.473116, "o", " "] +[5.4746, "o", "-"] +[5.476068, "o", "-"] +[5.477599, "o", "c"] +[5.478988, "o", "o"] +[5.48041, "o", "n"] +[5.481972, "o", "t"] +[5.483472, "o", "e"] +[5.485021, "o", "x"] +[5.486586, "o", "t"] +[5.488037, "o", " "] +[5.490003, "o", "a"] +[5.491532, "o", "d"] +[5.492992, "o", "m"] +[5.494599, "o", "i"] +[5.49623, "o", "n"] +[5.497704, "o", " "] +[5.499145, "o", "g"] +[5.500644, "o", "r"] +[5.502134, "o", "a"] +[5.503555, "o", "n"] +[5.505034, "o", "t"] +[5.506545, "o", " "] +[5.508047, "o", "\""] +[5.51018, "o", "$"] +[5.511812, "o", "("] +[5.513317, "o", "k"] +[5.514832, "o", "u"] +[5.516466, "o", "b"] +[5.517914, "o", "e"] +[5.519446, "o", "c"] +[5.521264, "o", "t"] +[5.522822, "o", "l"] +[5.524309, "o", " "] +[5.525761, "o", "g"] +[5.52724, "o", "e"] +[5.528671, "o", "t"] +[5.530142, "o", " "] +[5.531615, "o", "a"] +[5.533072, "o", "c"] +[5.5346, "o", "c"] +[5.536039, "o", "e"] +[5.537534, "o", "s"] +[5.539023, "o", "s"] +[5.540516, "o", "r"] +[5.54198, "o", "e"] +[5.543389, "o", "q"] +[5.544859, "o", "u"] +[5.546241, "o", "e"] +[5.547662, "o", "s"] +[5.549054, "o", "t"] +[5.550489, "o", "s"] +[5.552005, "o", "."] +[5.553442, "o", "s"] +[5.554887, "o", "p"] +[5.556266, "o", "r"] +[5.557704, "o", "e"] +[5.559183, "o", "a"] +[5.560705, "o", "d"] +[5.562191, "o", "g"] +[5.563696, "o", "r"] +[5.565156, "o", "o"] +[5.56667, "o", "u"] +[5.56817, "o", "p"] +[5.569675, "o", "."] +[5.571206, "o", "c"] +[5.572796, "o", "o"] +[5.574299, "o", "m"] +[5.575969, "o", " "] +[5.577598, "o", "-"] +[5.579214, "o", "o"] +[5.580644, "o", " "] +[5.582056, "o", "n"] +[5.583567, "o", "a"] +[5.585062, "o", "m"] +[5.586503, "o", "e"] +[5.58803, "o", " "] +[5.589418, "o", "|"] +[5.590931, "o", " "] +[5.592312, "o", "c"] +[5.593745, "o", "u"] +[5.595347, "o", "t"] +[5.59675, "o", " "] +[5.598156, "o", "-"] +[5.599585, "o", "d"] +[5.601082, "o", "/"] +[5.602555, "o", " "] +[5.604018, "o", "-"] +[5.605481, "o", "f"] +[5.607007, "o", "2"] +[5.60848, "o", " "] +[5.610053, "o", "|"] +[5.611483, "o", " "] +[5.612948, "o", "t"] +[5.614332, "o", "a"] +[5.615771, "o", "i"] +[5.617168, "o", "l"] +[5.618589, "o", " "] +[5.620121, "o", "-"] +[5.62156, "o", "n"] +[5.623233, "o", "1"] +[5.624717, "o", ")"] +[5.626278, "o", "\""] +[6.628976, "o", "\u001b[0m\r\n"] +[6.720281, "o", "apiVersion: spreadgroup.com/v1\r\nkind: AccessRequest\r\nmetadata:\r\n creationTimestamp: \"2023-04-24T13:26:16Z\"\r\n generateName: access-exec-dev-\r\n generation: 1\r\n labels:\r\n username: dev\r\n name: access-exec-dev-r2nn6\r\n namespace: default\r\n resourceVersion: \"139068\"\r\n uid: dfe1687c-3443-4a1e-873a-85631b789775\r\nspec:\r\n customKeys: null\r\n execOptions:\r\n apiVersion: v1\r\n command:\r\n - cat\r\n - /etc/nginx/nginx.conf\r\n container: nginx\r\n kind: PodExecOptions\r\n stderr: true\r\n stdout: true\r\n forObject:\r\n name: nginx-7fb96c846b-pcnxl\r\n namespace: default\r\n resource:\r\n group: \"\"\r\n resource: pods\r\n version: v1\r\n subResource: exec\r\n userInfo:\r\n username: dev\r\n---\r\n\"access-exec-dev-r2nn6\" requested by \"dev\"\r\n\r\n- requesting access to \"nginx-7fb96c846b-pcnxl\" and container \"nginx\" in namespace \"default\"\r\n- to run [\"cat\" \"/etc/nginx/nginx.conf\"]\r\n- once\r\n\r\nGrant access to the request above ([yN])? "] +[8.145075, "o", "y"] +[8.304654, "o", "\r\n"] +[8.322558, "o", "created grant grant-access-exec-dev-r2nn6\r\n"] +[8.323872, "o", "\r\n"] +[8.325064, "o", "💭 \u001b[3;1mnote execOptions and userInfo above\u001b[0m\r\n"] +[8.32508, "o", "\r\n"] +[8.325137, "o", "\u001b[32;1m❯\u001b[0m "] +[9.327274, "o", "k"] +[9.3295, "o", "u"] +[9.331435, "o", "b"] +[9.333598, "o", "e"] +[9.335516, "o", "c"] +[9.337101, "o", "t"] +[9.338682, "o", "l"] +[9.340423, "o", " "] +[9.342026, "o", "-"] +[9.343577, "o", "-"] +[9.345262, "o", "c"] +[9.346919, "o", "o"] +[9.348798, "o", "n"] +[9.350331, "o", "t"] +[9.351992, "o", "e"] +[9.353436, "o", "x"] +[9.35497, "o", "t"] +[9.356463, "o", " "] +[9.358037, "o", "a"] +[9.359566, "o", "d"] +[9.361094, "o", "m"] +[9.362527, "o", "i"] +[9.364053, "o", "n"] +[9.36554, "o", " "] +[9.367033, "o", "g"] +[9.368451, "o", "e"] +[9.370025, "o", "t"] +[9.371545, "o", " "] +[9.373142, "o", "a"] +[9.374579, "o", "c"] +[9.376113, "o", "c"] +[9.377618, "o", "e"] +[9.379158, "o", "s"] +[9.380906, "o", "s"] +[9.382534, "o", "r"] +[9.383976, "o", "e"] +[9.385392, "o", "q"] +[9.386911, "o", "u"] +[9.388353, "o", "e"] +[9.38986, "o", "s"] +[9.391471, "o", "t"] +[9.393062, "o", "s"] +[9.39451, "o", "."] +[9.396059, "o", "s"] +[9.397664, "o", "p"] +[9.399165, "o", "r"] +[9.40063, "o", "e"] +[9.402181, "o", "a"] +[9.403646, "o", "d"] +[9.405157, "o", "g"] +[9.406612, "o", "r"] +[9.408238, "o", "o"] +[9.409572, "o", "u"] +[9.411129, "o", "p"] +[9.412909, "o", "."] +[9.41437, "o", "c"] +[9.41584, "o", "o"] +[9.417299, "o", "m"] +[10.419994, "o", "\u001b[0m\r\n"] +[10.468277, "o", "NAME USER FOR COMMAND DURATION\r\naccess-exec-dev-r2nn6 dev nginx-7fb96c846b-pcnxl [\"cat\",\"/etc/nginx/nginx.conf\"] \r\n"] +[10.470529, "o", "\u001b[32;1m❯\u001b[0m "] +[11.472627, "o", "k"] +[11.474662, "o", "u"] +[11.476383, "o", "b"] +[11.478995, "o", "e"] +[11.481184, "o", "c"] +[11.482749, "o", "t"] +[11.484428, "o", "l"] +[11.486015, "o", " "] +[11.487545, "o", "-"] +[11.489143, "o", "-"] +[11.490652, "o", "c"] +[11.492264, "o", "o"] +[11.493773, "o", "n"] +[11.495474, "o", "t"] +[11.497036, "o", "e"] +[11.498536, "o", "x"] +[11.500132, "o", "t"] +[11.501652, "o", " "] +[11.503289, "o", "a"] +[11.50478, "o", "d"] +[11.506469, "o", "m"] +[11.508082, "o", "i"] +[11.509701, "o", "n"] +[11.511245, "o", " "] +[11.512843, "o", "g"] +[11.514456, "o", "e"] +[11.515981, "o", "t"] +[11.517848, "o", " "] +[11.519447, "o", "a"] +[11.521026, "o", "c"] +[11.522576, "o", "c"] +[11.524158, "o", "e"] +[11.525639, "o", "s"] +[11.527179, "o", "s"] +[11.528667, "o", "g"] +[11.530217, "o", "r"] +[11.531771, "o", "a"] +[11.533372, "o", "n"] +[11.534876, "o", "t"] +[11.536552, "o", "s"] +[11.538121, "o", "."] +[11.539663, "o", "s"] +[11.541175, "o", "p"] +[11.542619, "o", "r"] +[11.544178, "o", "e"] +[11.54562, "o", "a"] +[11.547162, "o", "d"] +[11.548704, "o", "g"] +[11.55039, "o", "r"] +[11.551863, "o", "o"] +[11.553505, "o", "u"] +[11.554973, "o", "p"] +[11.556693, "o", "."] +[11.558214, "o", "c"] +[11.559702, "o", "o"] +[11.561154, "o", "m"] +[12.563843, "o", "\u001b[0m\r\n"] +[12.614641, "o", "NAME REQUEST GRANTED BY STATUS AGE\r\ngrant-access-exec-dev-r2nn6 access-exec-dev-r2nn6 admin@k3d-k3s-default granted 4s\r\n"] +[12.6165, "o", "\r\n"] +[14.619294, "o", "\u001b[H\u001b[J"] +[14.619341, "o", "\r\n"] +[14.620461, "o", "💭 \u001b[3;1mnow it works!\u001b[0m\r\n"] +[14.620556, "o", "\u001b[32;1m❯\u001b[0m "] +[15.622682, "o", "k"] +[15.624798, "o", "u"] +[15.626475, "o", "b"] +[15.629151, "o", "e"] +[15.63201, "o", "c"] +[15.633985, "o", "t"] +[15.635748, "o", "l"] +[15.63762, "o", " "] +[15.639241, "o", "-"] +[15.6408, "o", "-"] +[15.642807, "o", "c"] +[15.644583, "o", "o"] +[15.64614, "o", "n"] +[15.64788, "o", "t"] +[15.649546, "o", "e"] +[15.651156, "o", "x"] +[15.652753, "o", "t"] +[15.654478, "o", " "] +[15.656041, "o", "d"] +[15.657579, "o", "e"] +[15.65909, "o", "v"] +[15.660815, "o", " "] +[15.662341, "o", "e"] +[15.663778, "o", "x"] +[15.665405, "o", "e"] +[15.666892, "o", "c"] +[15.668423, "o", " "] +[15.670042, "o", "n"] +[15.671538, "o", "g"] +[15.673023, "o", "i"] +[15.674541, "o", "n"] +[15.676099, "o", "x"] +[15.677571, "o", "-"] +[15.679147, "o", "7"] +[15.680613, "o", "f"] +[15.682128, "o", "b"] +[15.683588, "o", "9"] +[15.685096, "o", "6"] +[15.686537, "o", "c"] +[15.688031, "o", "8"] +[15.689451, "o", "4"] +[15.690939, "o", "6"] +[15.692425, "o", "b"] +[15.693871, "o", "-"] +[15.69543, "o", "p"] +[15.697026, "o", "c"] +[15.698503, "o", "n"] +[15.700068, "o", "x"] +[15.701593, "o", "l"] +[15.703049, "o", " "] +[15.704569, "o", "-"] +[15.706013, "o", "-"] +[15.707569, "o", " "] +[15.70905, "o", "c"] +[15.710596, "o", "a"] +[15.712085, "o", "t"] +[15.713611, "o", " "] +[15.715161, "o", "/"] +[15.716612, "o", "e"] +[15.718038, "o", "t"] +[15.719517, "o", "c"] +[15.721095, "o", "/"] +[15.722608, "o", "n"] +[15.724092, "o", "g"] +[15.725571, "o", "i"] +[15.72716, "o", "n"] +[15.728737, "o", "x"] +[15.730268, "o", "/"] +[15.731751, "o", "n"] +[15.733303, "o", "g"] +[15.73487, "o", "i"] +[15.736378, "o", "n"] +[15.737814, "o", "x"] +[15.73924, "o", "."] +[15.740736, "o", "c"] +[15.742184, "o", "o"] +[15.743678, "o", "n"] +[15.745186, "o", "f"] +[16.747881, "o", "\u001b[0m\r\n"] +[16.875123, "o", "\r\nuser nginx;\r\nworker_processes 1;\r\n\r\nerror_log /var/log/nginx/error.log warn;\r\npid /var/run/nginx.pid;\r\n\r\n\r\nevents {\r\n worker_connections 1024;\r\n}\r\n\r\n\r\nhttp {\r\n include /etc/nginx/mime.types;\r\n default_type application/octet-stream;\r\n\r\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\r\n '$status $body_bytes_sent \"$http_referer\" '\r\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\r\n\r\n access_log /var/log/nginx/access.log main;\r\n\r\n sendfile on;\r\n #tcp_nopush on;\r\n\r\n keepalive_timeout 65;\r\n\r\n #gzip on;\r\n\r\n include /etc/nginx/conf.d/*.conf;\r\n}\r\n"] +[16.878026, "o", "\r\n"] +[16.879112, "o", "💭 \u001b[3;1monly once by default\u001b[0m\r\n"] +[16.879175, "o", "\u001b[32;1m❯\u001b[0m "] +[17.881, "o", "k"] +[17.882984, "o", "u"] +[17.884705, "o", "b"] +[17.88626, "o", "e"] +[17.887721, "o", "c"] +[17.889291, "o", "t"] +[17.890835, "o", "l"] +[17.89241, "o", " "] +[17.893932, "o", "-"] +[17.895454, "o", "-"] +[17.897068, "o", "c"] +[17.898808, "o", "o"] +[17.900203, "o", "n"] +[17.901694, "o", "t"] +[17.903462, "o", "e"] +[17.904969, "o", "x"] +[17.906537, "o", "t"] +[17.908059, "o", " "] +[17.909625, "o", "d"] +[17.911103, "o", "e"] +[17.912682, "o", "v"] +[17.914187, "o", " "] +[17.91578, "o", "e"] +[17.917362, "o", "x"] +[17.918862, "o", "e"] +[17.920373, "o", "c"] +[17.922071, "o", " "] +[17.923677, "o", "n"] +[17.925136, "o", "g"] +[17.926805, "o", "i"] +[17.928324, "o", "n"] +[17.929777, "o", "x"] +[17.931164, "o", "-"] +[17.932715, "o", "7"] +[17.934213, "o", "f"] +[17.935793, "o", "b"] +[17.937323, "o", "9"] +[17.938993, "o", "6"] +[17.940479, "o", "c"] +[17.941889, "o", "8"] +[17.943493, "o", "4"] +[17.944964, "o", "6"] +[17.94655, "o", "b"] +[17.948001, "o", "-"] +[17.949508, "o", "p"] +[17.951001, "o", "c"] +[17.952503, "o", "n"] +[17.954291, "o", "x"] +[17.955832, "o", "l"] +[17.957336, "o", " "] +[17.958843, "o", "-"] +[17.960348, "o", "-"] +[17.961848, "o", " "] +[17.963427, "o", "c"] +[17.964915, "o", "a"] +[17.966391, "o", "t"] +[17.967886, "o", " "] +[17.969308, "o", "/"] +[17.970848, "o", "e"] +[17.972619, "o", "t"] +[17.974056, "o", "c"] +[17.975554, "o", "/"] +[17.977056, "o", "n"] +[17.97854, "o", "g"] +[17.980044, "o", "i"] +[17.981495, "o", "n"] +[17.982983, "o", "x"] +[17.984473, "o", "/"] +[17.98594, "o", "n"] +[17.987396, "o", "g"] +[17.989021, "o", "i"] +[17.990538, "o", "n"] +[17.992021, "o", "x"] +[17.993529, "o", "."] +[17.99499, "o", "c"] +[17.996549, "o", "o"] +[17.998012, "o", "n"] +[17.9995, "o", "f"] +[19.002071, "o", "\u001b[0m\r\n"] +[19.040669, "o", "Error from server (Forbidden): pods \"nginx-7fb96c846b-pcnxl\" is forbidden: User \"dev\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\"\r\n"] +[19.042264, "o", "\r\n"] +[19.043346, "o", "💭 \u001b[3;1mlet's request access for a while\u001b[0m\r\n"] +[19.043396, "o", "\u001b[32;1m❯\u001b[0m "] +[20.045488, "o", "k"] +[20.047871, "o", "u"] +[20.050405, "o", "b"] +[20.052373, "o", "e"] +[20.054269, "o", "c"] +[20.055895, "o", "t"] +[20.057503, "o", "l"] +[20.059062, "o", " "] +[20.060635, "o", "r"] +[20.062134, "o", "e"] +[20.063781, "o", "q"] +[20.06527, "o", "u"] +[20.066895, "o", "e"] +[20.068533, "o", "s"] +[20.070023, "o", "t"] +[20.071538, "o", " "] +[20.073179, "o", "-"] +[20.07473, "o", "-"] +[20.076129, "o", "c"] +[20.077601, "o", "o"] +[20.079054, "o", "n"] +[20.080562, "o", "t"] +[20.082047, "o", "e"] +[20.083593, "o", "x"] +[20.085029, "o", "t"] +[20.086507, "o", " "] +[20.087896, "o", "d"] +[20.089323, "o", "e"] +[20.091065, "o", "v"] +[20.092556, "o", " "] +[20.09407, "o", "e"] +[20.095562, "o", "x"] +[20.0971, "o", "e"] +[20.098679, "o", "c"] +[20.100124, "o", " "] +[20.101612, "o", "-"] +[20.1031, "o", "-"] +[20.104564, "o", "v"] +[20.106223, "o", "a"] +[20.107748, "o", "l"] +[20.109236, "o", "i"] +[20.110999, "o", "d"] +[20.112509, "o", "-"] +[20.114052, "o", "f"] +[20.115551, "o", "o"] +[20.117114, "o", "r"] +[20.118587, "o", "="] +[20.120101, "o", "1"] +[20.121609, "o", "0"] +[20.123237, "o", "m"] +[20.12473, "o", " "] +[20.126175, "o", "n"] +[20.127709, "o", "g"] +[20.129159, "o", "i"] +[20.130696, "o", "n"] +[20.132149, "o", "x"] +[20.133632, "o", "-"] +[20.135053, "o", "7"] +[20.136652, "o", "f"] +[20.138152, "o", "b"] +[20.139671, "o", "9"] +[20.141241, "o", "6"] +[20.142744, "o", "c"] +[20.144252, "o", "8"] +[20.145722, "o", "4"] +[20.147207, "o", "6"] +[20.148719, "o", "b"] +[20.150218, "o", "-"] +[20.151693, "o", "p"] +[20.153168, "o", "c"] +[20.154619, "o", "n"] +[20.156069, "o", "x"] +[20.157542, "o", "l"] +[20.159004, "o", " "] +[20.160401, "o", "-"] +[20.161922, "o", "-"] +[20.163418, "o", " "] +[20.164862, "o", "c"] +[20.16633, "o", "a"] +[20.168077, "o", "t"] +[20.169631, "o", " "] +[20.171097, "o", "/"] +[20.172486, "o", "e"] +[20.174053, "o", "t"] +[20.175492, "o", "c"] +[20.177209, "o", "/"] +[20.178697, "o", "n"] +[20.18016, "o", "g"] +[20.181711, "o", "i"] +[20.183245, "o", "n"] +[20.184782, "o", "x"] +[20.186413, "o", "/"] +[20.187995, "o", "n"] +[20.18971, "o", "g"] +[20.19137, "o", "i"] +[20.192952, "o", "n"] +[20.194363, "o", "x"] +[20.195884, "o", "."] +[20.197336, "o", "c"] +[20.198853, "o", "o"] +[20.200302, "o", "n"] +[20.201788, "o", "f"] +[21.204219, "o", "\u001b[0m\r\n"] +[21.256844, "o", "created accessrequest access-exec-dev-sbfwc (please wait for an admin to grant the permission)\r\n"] +[21.257975, "o", "\r\n"] +[21.258024, "o", "\u001b[32;1m❯\u001b[0m "] +[22.260439, "o", "k"] +[22.262426, "o", "u"] +[22.264201, "o", "b"] +[22.266357, "o", "e"] +[22.267998, "o", "c"] +[22.269563, "o", "t"] +[22.271321, "o", "l"] +[22.272892, "o", " "] +[22.274402, "o", "r"] +[22.276037, "o", "e"] +[22.277495, "o", "q"] +[22.279101, "o", "u"] +[22.2807, "o", "e"] +[22.282209, "o", "s"] +[22.283609, "o", "t"] +[22.285118, "o", " "] +[22.286708, "o", "-"] +[22.288197, "o", "-"] +[22.289775, "o", "c"] +[22.291336, "o", "o"] +[22.292791, "o", "n"] +[22.294247, "o", "t"] +[22.295671, "o", "e"] +[22.297071, "o", "x"] +[22.298476, "o", "t"] +[22.299874, "o", " "] +[22.301318, "o", "a"] +[22.302808, "o", "d"] +[22.304225, "o", "m"] +[22.305681, "o", "i"] +[22.30732, "o", "n"] +[22.308811, "o", " "] +[22.310249, "o", "g"] +[22.311688, "o", "r"] +[22.313156, "o", "a"] +[22.314574, "o", "n"] +[22.316024, "o", "t"] +[22.317423, "o", " "] +[22.31885, "o", "\""] +[22.320252, "o", "$"] +[22.321677, "o", "("] +[22.323395, "o", "k"] +[22.324888, "o", "u"] +[22.326401, "o", "b"] +[22.327956, "o", "e"] +[22.329383, "o", "c"] +[22.330864, "o", "t"] +[22.33252, "o", "l"] +[22.334043, "o", " "] +[22.33561, "o", "g"] +[22.337133, "o", "e"] +[22.338568, "o", "t"] +[22.340078, "o", " "] +[22.341547, "o", "a"] +[22.342971, "o", "c"] +[22.344367, "o", "c"] +[22.34609, "o", "e"] +[22.347582, "o", "s"] +[22.349064, "o", "s"] +[22.350709, "o", "r"] +[22.352396, "o", "e"] +[22.353906, "o", "q"] +[22.355688, "o", "u"] +[22.357, "o", "e"] +[22.358501, "o", "s"] +[22.360112, "o", "t"] +[22.361906, "o", "s"] +[22.36333, "o", "."] +[22.364727, "o", "s"] +[22.366216, "o", "p"] +[22.367673, "o", "r"] +[22.369159, "o", "e"] +[22.370576, "o", "a"] +[22.37198, "o", "d"] +[22.373441, "o", "g"] +[22.374916, "o", "r"] +[22.37653, "o", "o"] +[22.377956, "o", "u"] +[22.379369, "o", "p"] +[22.380801, "o", "."] +[22.382259, "o", "c"] +[22.383635, "o", "o"] +[22.385015, "o", "m"] +[22.386392, "o", " "] +[22.387812, "o", "-"] +[22.38923, "o", "o"] +[22.39074, "o", " "] +[22.392281, "o", "n"] +[22.393729, "o", "a"] +[22.395227, "o", "m"] +[22.396678, "o", "e"] +[22.398194, "o", " "] +[22.399589, "o", "|"] +[22.401, "o", " "] +[22.402375, "o", "c"] +[22.403862, "o", "u"] +[22.405333, "o", "t"] +[22.406822, "o", " "] +[22.408276, "o", "-"] +[22.409743, "o", "d"] +[22.411258, "o", "/"] +[22.412656, "o", " "] +[22.414072, "o", "-"] +[22.415464, "o", "f"] +[22.416956, "o", "2"] +[22.418452, "o", " "] +[22.419924, "o", "|"] +[22.421392, "o", " "] +[22.422777, "o", "t"] +[22.424274, "o", "a"] +[22.425862, "o", "i"] +[22.427362, "o", "l"] +[22.428802, "o", " "] +[22.430396, "o", "-"] +[22.431873, "o", "n"] +[22.433408, "o", "1"] +[22.434976, "o", ")"] +[22.4367, "o", "\""] +[23.439476, "o", "\u001b[0m\r\n"] +[23.529814, "o", "apiVersion: spreadgroup.com/v1\r\nkind: AccessRequest\r\nmetadata:\r\n creationTimestamp: \"2023-04-24T13:26:33Z\"\r\n generateName: access-exec-dev-\r\n generation: 1\r\n labels:\r\n username: dev\r\n name: access-exec-dev-sbfwc\r\n namespace: default\r\n resourceVersion: \"139078\"\r\n uid: 095900ed-ce06-464e-9fa9-10848cf95157\r\nspec:\r\n customKeys: null\r\n execOptions:\r\n apiVersion: v1\r\n command:\r\n - cat\r\n - /etc/nginx/nginx.conf\r\n container: nginx\r\n kind: PodExecOptions\r\n stderr: true\r\n stdout: true\r\n forObject:\r\n name: nginx-7fb96c846b-pcnxl\r\n namespace: default\r\n resource:\r\n group: \"\"\r\n resource: pods\r\n version: v1\r\n subResource: exec\r\n userInfo:\r\n username: dev\r\n validFor: 10m0s\r\n---\r\n\"access-exec-dev-sbfwc\" requested by \"dev\"\r\n\r\n- requesting access to \"nginx-7fb96c846b-pcnxl\" and container \"nginx\" in namespace \"default\"\r\n- to run [\"cat\" \"/etc/nginx/nginx.conf\"]\r\n- for 10m0s\r\n\r\nGrant access to the request above ([yN])? "] +[24.168617, "o", "y"] +[26.048212, "o", "\r\n"] +[26.068568, "o", "created grant grant-access-exec-dev-sbfwc\r\n"] +[26.06966, "o", "\r\n"] +[26.070819, "o", "💭 \u001b[3;1mnote the validFor field\u001b[0m\r\n"] +[26.070849, "o", "\r\n"] +[26.07185, "o", "💭 \u001b[3;1mnow we can run it multiple times\u001b[0m\r\n"] +[26.071903, "o", "\u001b[32;1m❯\u001b[0m "] +[27.0737, "o", "k"] +[27.075815, "o", "u"] +[27.07767, "o", "b"] +[27.079484, "o", "e"] +[27.081029, "o", "c"] +[27.082561, "o", "t"] +[27.084124, "o", "l"] +[27.085626, "o", " "] +[27.087156, "o", "-"] +[27.088602, "o", "-"] +[27.09014, "o", "c"] +[27.091623, "o", "o"] +[27.093095, "o", "n"] +[27.094648, "o", "t"] +[27.096239, "o", "e"] +[27.09774, "o", "x"] +[27.099369, "o", "t"] +[27.100856, "o", " "] +[27.102343, "o", "d"] +[27.103812, "o", "e"] +[27.105338, "o", "v"] +[27.106787, "o", " "] +[27.108759, "o", "e"] +[27.110322, "o", "x"] +[27.111817, "o", "e"] +[27.113429, "o", "c"] +[27.114928, "o", " "] +[27.116488, "o", "n"] +[27.117987, "o", "g"] +[27.119409, "o", "i"] +[27.120939, "o", "n"] +[27.122489, "o", "x"] +[27.123986, "o", "-"] +[27.125462, "o", "7"] +[27.126941, "o", "f"] +[27.12846, "o", "b"] +[27.130143, "o", "9"] +[27.131594, "o", "6"] +[27.133117, "o", "c"] +[27.134596, "o", "8"] +[27.136107, "o", "4"] +[27.13761, "o", "6"] +[27.139105, "o", "b"] +[27.140599, "o", "-"] +[27.142135, "o", "p"] +[27.14362, "o", "c"] +[27.145143, "o", "n"] +[27.146858, "o", "x"] +[27.148403, "o", "l"] +[27.149906, "o", " "] +[27.151484, "o", "-"] +[27.153048, "o", "-"] +[27.154579, "o", " "] +[27.156106, "o", "c"] +[27.157594, "o", "a"] +[27.159076, "o", "t"] +[27.160602, "o", " "] +[27.162174, "o", "/"] +[27.163936, "o", "e"] +[27.165503, "o", "t"] +[27.166974, "o", "c"] +[27.168455, "o", "/"] +[27.169946, "o", "n"] +[27.171507, "o", "g"] +[27.173021, "o", "i"] +[27.174506, "o", "n"] +[27.17603, "o", "x"] +[27.177578, "o", "/"] +[27.179109, "o", "n"] +[27.180715, "o", "g"] +[27.182194, "o", "i"] +[27.183695, "o", "n"] +[27.185202, "o", "x"] +[27.186652, "o", "."] +[27.188088, "o", "c"] +[27.189693, "o", "o"] +[27.191164, "o", "n"] +[27.192662, "o", "f"] +[28.195396, "o", "\u001b[0m\r\n"] +[28.309116, "o", "\r\nuser nginx;\r\nworker_processes 1;\r\n\r\nerror_log /var/log/nginx/error.log warn;\r\npid /var/run/nginx.pid;\r\n\r\n\r\nevents {\r\n worker_connections 1024;\r\n}\r\n\r\n\r\nhttp {\r\n include /etc/nginx/mime.types;\r\n default_type application/octet-stream;\r\n\r\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\r\n '$status $body_bytes_sent \"$http_referer\" '\r\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\r\n\r\n access_log /var/log/nginx/access.log main;\r\n\r\n sendfile on;\r\n #tcp_nopush on;\r\n\r\n keepalive_timeout 65;\r\n\r\n #gzip on;\r\n\r\n include /etc/nginx/conf.d/*.conf;\r\n}\r\n"] +[28.311361, "o", "\u001b[32;1m❯\u001b[0m "] +[29.313499, "o", "k"] +[29.315262, "o", "u"] +[29.31686, "o", "b"] +[29.318702, "o", "e"] +[29.320291, "o", "c"] +[29.321801, "o", "t"] +[29.323408, "o", "l"] +[29.32496, "o", " "] +[29.326638, "o", "-"] +[29.328169, "o", "-"] +[29.329699, "o", "c"] +[29.331219, "o", "o"] +[29.332763, "o", "n"] +[29.334367, "o", "t"] +[29.335889, "o", "e"] +[29.337427, "o", "x"] +[29.338912, "o", "t"] +[29.340432, "o", " "] +[29.341922, "o", "d"] +[29.343504, "o", "e"] +[29.345022, "o", "v"] +[29.346633, "o", " "] +[29.348183, "o", "e"] +[29.349963, "o", "x"] +[29.351566, "o", "e"] +[29.353054, "o", "c"] +[29.354711, "o", " "] +[29.356187, "o", "n"] +[29.357706, "o", "g"] +[29.359364, "o", "i"] +[29.360827, "o", "n"] +[29.362366, "o", "x"] +[29.364004, "o", "-"] +[29.365655, "o", "7"] +[29.367121, "o", "f"] +[29.368796, "o", "b"] +[29.370244, "o", "9"] +[29.371741, "o", "6"] +[29.373178, "o", "c"] +[29.374718, "o", "8"] +[29.376155, "o", "4"] +[29.377675, "o", "6"] +[29.379117, "o", "b"] +[29.380626, "o", "-"] +[29.382072, "o", "p"] +[29.383696, "o", "c"] +[29.385156, "o", "n"] +[29.386648, "o", "x"] +[29.388083, "o", "l"] +[29.389613, "o", " "] +[29.391041, "o", "-"] +[29.392455, "o", "-"] +[29.393834, "o", " "] +[29.395259, "o", "c"] +[29.396908, "o", "a"] +[29.398406, "o", "t"] +[29.399922, "o", " "] +[29.401394, "o", "/"] +[29.402937, "o", "e"] +[29.404604, "o", "t"] +[29.406176, "o", "c"] +[29.407755, "o", "/"] +[29.409243, "o", "n"] +[29.410964, "o", "g"] +[29.412548, "o", "i"] +[29.414193, "o", "n"] +[29.415873, "o", "x"] +[29.41736, "o", "/"] +[29.418919, "o", "n"] +[29.420348, "o", "g"] +[29.421859, "o", "i"] +[29.423364, "o", "n"] +[29.424965, "o", "x"] +[29.426485, "o", "."] +[29.427912, "o", "c"] +[29.429362, "o", "o"] +[29.431043, "o", "n"] +[29.432597, "o", "f"] +[30.435136, "o", "\u001b[0m\r\n"] +[30.548528, "o", "\r\nuser nginx;\r\nworker_processes 1;\r\n\r\nerror_log /var/log/nginx/error.log warn;\r\npid /var/run/nginx.pid;\r\n\r\n\r\nevents {\r\n worker_connections 1024;\r\n}\r\n\r\n\r\nhttp {\r\n include /etc/nginx/mime.types;\r\n default_type application/octet-stream;\r\n\r\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\r\n '$status $body_bytes_sent \"$http_referer\" '\r\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\r\n\r\n access_log /var/log/nginx/access.log main;\r\n\r\n sendfile on;\r\n #tcp_nopush on;\r\n\r\n keepalive_timeout 65;\r\n\r\n #gzip on;\r\n\r\n include /etc/nginx/conf.d/*.conf;\r\n}\r\n"] +[30.550718, "o", "\r\n"] +[30.551822, "o", "💭 \u001b[3;1mbut of course only this command\u001b[0m\r\n"] +[30.551883, "o", "\u001b[32;1m❯\u001b[0m "] +[31.553681, "o", "k"] +[31.555961, "o", "u"] +[31.557568, "o", "b"] +[31.559115, "o", "e"] +[31.560609, "o", "c"] +[31.562182, "o", "t"] +[31.563967, "o", "l"] +[31.565455, "o", " "] +[31.566955, "o", "-"] +[31.568463, "o", "-"] +[31.569996, "o", "c"] +[31.571546, "o", "o"] +[31.573042, "o", "n"] +[31.574635, "o", "t"] +[31.576116, "o", "e"] +[31.57765, "o", "x"] +[31.579121, "o", "t"] +[31.58068, "o", " "] +[31.582414, "o", "d"] +[31.584095, "o", "e"] +[31.585636, "o", "v"] +[31.587083, "o", " "] +[31.588602, "o", "e"] +[31.590088, "o", "x"] +[31.591659, "o", "e"] +[31.593114, "o", "c"] +[31.594568, "o", " "] +[31.596033, "o", "n"] +[31.597579, "o", "g"] +[31.599324, "o", "i"] +[31.600854, "o", "n"] +[31.602317, "o", "x"] +[31.603942, "o", "-"] +[31.60541, "o", "7"] +[31.606857, "o", "f"] +[31.608289, "o", "b"] +[31.609897, "o", "9"] +[31.611317, "o", "6"] +[31.612857, "o", "c"] +[31.614302, "o", "8"] +[31.615774, "o", "4"] +[31.617292, "o", "6"] +[31.61879, "o", "b"] +[31.62028, "o", "-"] +[31.621811, "o", "p"] +[31.62332, "o", "c"] +[31.624882, "o", "n"] +[31.626396, "o", "x"] +[31.627893, "o", "l"] +[31.629351, "o", " "] +[31.631041, "o", "-"] +[31.632776, "o", "-"] +[31.634276, "o", " "] +[31.635772, "o", "c"] +[31.63723, "o", "a"] +[31.638738, "o", "t"] +[31.640194, "o", " "] +[31.64169, "o", "/"] +[31.643147, "o", "e"] +[31.64464, "o", "t"] +[31.646123, "o", "c"] +[31.647667, "o", "/"] +[31.649463, "o", "p"] +[31.651052, "o", "a"] +[31.652524, "o", "s"] +[31.654041, "o", "s"] +[31.655486, "o", "w"] +[31.657076, "o", "d"] +[32.659713, "o", "\u001b[0m\r\n"] +[32.708138, "o", "Error from server: admission webhook \"kube-request-access.default.svc\" denied the request without explanation\r\n"] +[32.709505, "o", "\r\n"] +[34.712109, "o", "\u001b[H\u001b[J"] +[34.712235, "o", "\r\n"] +[34.713681, "o", "💭 \u001b[3;1madmins can revoke access\u001b[0m\r\n"] +[34.713741, "o", "\u001b[32;1m❯\u001b[0m "] +[35.715722, "o", "k"] +[35.71737, "o", "u"] +[35.719033, "o", "b"] +[35.720623, "o", "e"] +[35.722162, "o", "c"] +[35.723705, "o", "t"] +[35.725255, "o", "l"] +[35.726777, "o", " "] +[35.728352, "o", "-"] +[35.72993, "o", "-"] +[35.731446, "o", "c"] +[35.732997, "o", "o"] +[35.734536, "o", "n"] +[35.736101, "o", "t"] +[35.73765, "o", "e"] +[35.739176, "o", "x"] +[35.740687, "o", "t"] +[35.742159, "o", " "] +[35.743671, "o", "a"] +[35.745177, "o", "d"] +[35.746677, "o", "m"] +[35.748173, "o", "i"] +[35.749777, "o", "n"] +[35.751376, "o", " "] +[35.753247, "o", "g"] +[35.75475, "o", "e"] +[35.756237, "o", "t"] +[35.757803, "o", " "] +[35.759366, "o", "a"] +[35.760865, "o", "c"] +[35.762319, "o", "c"] +[35.763955, "o", "e"] +[35.765544, "o", "s"] +[35.76706, "o", "s"] +[35.768558, "o", "r"] +[35.770258, "o", "e"] +[35.771751, "o", "q"] +[35.773231, "o", "u"] +[35.774741, "o", "e"] +[35.776225, "o", "s"] +[35.777726, "o", "t"] +[35.779191, "o", "s"] +[35.780675, "o", "."] +[35.782115, "o", "s"] +[35.78359, "o", "p"] +[35.785111, "o", "r"] +[35.786618, "o", "e"] +[35.788082, "o", "a"] +[35.78951, "o", "d"] +[35.791024, "o", "g"] +[35.792495, "o", "r"] +[35.79408, "o", "o"] +[35.795515, "o", "u"] +[35.797087, "o", "p"] +[35.798468, "o", "."] +[35.800152, "o", "c"] +[35.80168, "o", "o"] +[35.803296, "o", "m"] +[36.8054, "o", "\u001b[0m\r\n"] +[36.857332, "o", "NAME USER FOR COMMAND DURATION\r\naccess-exec-dev-sbfwc dev nginx-7fb96c846b-pcnxl [\"cat\",\"/etc/nginx/nginx.conf\"] 10m0s\r\n"] +[36.858877, "o", "\u001b[32;1m❯\u001b[0m "] +[37.860583, "o", "k"] +[37.862282, "o", "u"] +[37.864002, "o", "b"] +[37.865942, "o", "e"] +[37.867489, "o", "c"] +[37.869047, "o", "t"] +[37.870611, "o", "l"] +[37.872051, "o", " "] +[37.873488, "o", "-"] +[37.874976, "o", "-"] +[37.876377, "o", "c"] +[37.877763, "o", "o"] +[37.879159, "o", "n"] +[37.880617, "o", "t"] +[37.882229, "o", "e"] +[37.88373, "o", "x"] +[37.885194, "o", "t"] +[37.886693, "o", " "] +[37.888207, "o", "a"] +[37.889681, "o", "d"] +[37.891065, "o", "m"] +[37.892468, "o", "i"] +[37.893947, "o", "n"] +[37.895334, "o", " "] +[37.896724, "o", "d"] +[37.898327, "o", "e"] +[37.899795, "o", "l"] +[37.901276, "o", "e"] +[37.902724, "o", "t"] +[37.904265, "o", "e"] +[37.905761, "o", " "] +[37.907244, "o", "a"] +[37.908732, "o", "c"] +[37.910213, "o", "c"] +[37.911682, "o", "e"] +[37.913104, "o", "s"] +[37.914606, "o", "s"] +[37.916103, "o", "r"] +[37.917547, "o", "e"] +[37.918965, "o", "q"] +[37.920447, "o", "u"] +[37.922009, "o", "e"] +[37.923465, "o", "s"] +[37.924958, "o", "t"] +[37.926414, "o", "s"] +[37.927877, "o", "."] +[37.929372, "o", "s"] +[37.930845, "o", "p"] +[37.932311, "o", "r"] +[37.933763, "o", "e"] +[37.935205, "o", "a"] +[37.936673, "o", "d"] +[37.938132, "o", "g"] +[37.93952, "o", "r"] +[37.940995, "o", "o"] +[37.942447, "o", "u"] +[37.943955, "o", "p"] +[37.945351, "o", "."] +[37.946782, "o", "c"] +[37.948264, "o", "o"] +[37.949699, "o", "m"] +[37.951197, "o", " "] +[37.952788, "o", "\""] +[37.954277, "o", "$"] +[37.955735, "o", "("] +[37.957218, "o", "k"] +[37.958691, "o", "u"] +[37.960123, "o", "b"] +[37.961534, "o", "e"] +[37.962965, "o", "c"] +[37.964346, "o", "t"] +[37.965766, "o", "l"] +[37.967225, "o", " "] +[37.968725, "o", "g"] +[37.970237, "o", "e"] +[37.971706, "o", "t"] +[37.973164, "o", " "] +[37.974629, "o", "a"] +[37.976213, "o", "c"] +[37.977627, "o", "c"] +[37.97906, "o", "e"] +[37.98055, "o", "s"] +[37.982022, "o", "s"] +[37.983502, "o", "r"] +[37.984978, "o", "e"] +[37.986601, "o", "q"] +[37.988076, "o", "u"] +[37.989582, "o", "e"] +[37.991092, "o", "s"] +[37.992508, "o", "t"] +[37.994022, "o", "s"] +[37.995478, "o", "."] +[37.996889, "o", "s"] +[37.998348, "o", "p"] +[37.999779, "o", "r"] +[38.00121, "o", "e"] +[38.002601, "o", "a"] +[38.004038, "o", "d"] +[38.005476, "o", "g"] +[38.006929, "o", "r"] +[38.008404, "o", "o"] +[38.009844, "o", "u"] +[38.011276, "o", "p"] +[38.012735, "o", "."] +[38.014172, "o", "c"] +[38.015593, "o", "o"] +[38.017011, "o", "m"] +[38.01844, "o", " "] +[38.019917, "o", "-"] +[38.021357, "o", "o"] +[38.022783, "o", " "] +[38.02422, "o", "n"] +[38.025693, "o", "a"] +[38.027142, "o", "m"] +[38.028594, "o", "e"] +[38.030044, "o", " "] +[38.031498, "o", "|"] +[38.032939, "o", " "] +[38.034372, "o", "c"] +[38.035758, "o", "u"] +[38.037208, "o", "t"] +[38.038651, "o", " "] +[38.040115, "o", "-"] +[38.041531, "o", "d"] +[38.042988, "o", "/"] +[38.044424, "o", " "] +[38.045818, "o", "-"] +[38.047278, "o", "f"] +[38.04872, "o", "2"] +[38.050149, "o", " "] +[38.051536, "o", "|"] +[38.052938, "o", " "] +[38.054397, "o", "t"] +[38.055861, "o", "a"] +[38.057333, "o", "i"] +[38.058764, "o", "l"] +[38.060341, "o", " "] +[38.061805, "o", "-"] +[38.063261, "o", "n"] +[38.064711, "o", "1"] +[38.066195, "o", ")"] +[38.067632, "o", "\""] +[39.070099, "o", "\u001b[0m\r\n"] +[39.167099, "o", "accessrequest.spreadgroup.com \"access-exec-dev-sbfwc\" deleted\r\n"] +[39.170757, "o", "\r\n"] +[39.170956, "o", "\u001b[32;1m❯\u001b[0m "] +[40.173426, "o", "k"] +[40.175687, "o", "u"] +[40.177816, "o", "b"] +[40.179647, "o", "e"] +[40.181244, "o", "c"] +[40.182812, "o", "t"] +[40.184517, "o", "l"] +[40.186182, "o", " "] +[40.187745, "o", "-"] +[40.189265, "o", "-"] +[40.191049, "o", "c"] +[40.192581, "o", "o"] +[40.194116, "o", "n"] +[40.195647, "o", "t"] +[40.197236, "o", "e"] +[40.198788, "o", "x"] +[40.200416, "o", "t"] +[40.201882, "o", " "] +[40.203584, "o", "d"] +[40.205555, "o", "e"] +[40.207013, "o", "v"] +[40.20861, "o", " "] +[40.210243, "o", "e"] +[40.211713, "o", "x"] +[40.213292, "o", "e"] +[40.214837, "o", "c"] +[40.216413, "o", " "] +[40.217889, "o", "n"] +[40.219441, "o", "g"] +[40.220905, "o", "i"] +[40.222519, "o", "n"] +[40.224201, "o", "x"] +[40.225718, "o", "-"] +[40.227258, "o", "7"] +[40.228699, "o", "f"] +[40.23021, "o", "b"] +[40.231664, "o", "9"] +[40.233071, "o", "6"] +[40.234555, "o", "c"] +[40.236015, "o", "8"] +[40.237502, "o", "4"] +[40.238955, "o", "6"] +[40.240579, "o", "b"] +[40.24211, "o", "-"] +[40.243633, "o", "p"] +[40.245128, "o", "c"] +[40.246576, "o", "n"] +[40.248044, "o", "x"] +[40.24962, "o", "l"] +[40.2511, "o", " "] +[40.252553, "o", "-"] +[40.253991, "o", "-"] +[40.255536, "o", " "] +[40.25723, "o", "c"] +[40.258719, "o", "a"] +[40.260198, "o", "t"] +[40.261724, "o", " "] +[40.263326, "o", "/"] +[40.26484, "o", "e"] +[40.266423, "o", "t"] +[40.268064, "o", "c"] +[40.269816, "o", "/"] +[40.271511, "o", "n"] +[40.273229, "o", "g"] +[40.27505, "o", "i"] +[40.276768, "o", "n"] +[40.278399, "o", "x"] +[40.279875, "o", "/"] +[40.281324, "o", "n"] +[40.282924, "o", "g"] +[40.284514, "o", "i"] +[40.286018, "o", "n"] +[40.287716, "o", "x"] +[40.289282, "o", "."] +[40.291093, "o", "c"] +[40.292733, "o", "o"] +[40.294264, "o", "n"] +[40.295793, "o", "f"] +[41.298452, "o", "\u001b[0m\r\n"] +[41.337371, "o", "Error from server (Forbidden): pods \"nginx-7fb96c846b-pcnxl\" is forbidden: User \"dev\" cannot create resource \"pods/exec\" in API group \"\" in the namespace \"default\"\r\n"] +[41.339031, "o", "\r\n"] +[41.340102, "o", "💭 \u001b[3;1mand that's kube-request-access!\u001b[0m\r\n"] +[41.340142, "o", "\r\n"] +[43.340835, "o", "🎬 \u001b[32;3mEnd recording - \u001b[1mdemo.asc\u001b[0m\r\n(Powered by https://github.com/zechris/asciinema-rec_script 0.10.0)\r\n"] diff --git a/scripts/create-user b/scripts/create-user index be3eff3..51334e4 100755 --- a/scripts/create-user +++ b/scripts/create-user @@ -23,12 +23,14 @@ CONTEXT="${CONTEXT:-k3d-$CLUSTER_NAME}" ROLE="${ROLE:-developer}" +CSR="$NAME-$RANDOM" + # request cert cat < "$NAME.crt" +kubectl --context "$CONTEXT" get csr "$CSR" -o jsonpath='{.status.certificate}'| base64 -d > "$NAME.crt" -kubectl --context "$CONTEXT" config set-credentials "$NAME" --client-key="$NAME.key" --client-certificate="$NAME.crt" --embed-certs=true +kubectl config set-credentials "$NAME" --client-key="$NAME.key" --client-certificate="$NAME.crt" --embed-certs=true -kubectl --context "$CONTEXT" config set-context "$NAME" --cluster="$CONTEXT" --user="$NAME" +kubectl config set-context "$NAME" --cluster="$CONTEXT" --user="$NAME" rm "$NAME.key" "$NAME.csr" "$NAME.crt"