feat: introduce RBAC support with user status tracking

feat: add virtual resource UserGroup

chore: rename user to usergroup

feat: implement User Groups page with detailed views

refactor: update RulesTable and UserGroupAllRules to use PolicyRule type for improved type safety

Author: iwanhae

cmd/server/main.go

@@ -8,13 +8,10 @@ import (
 
 	"github.com/iwanhae/kuview/pkg/controller"
 	"github.com/iwanhae/kuview/pkg/server"
+	"github.com/iwanhae/kuview/pkg/types"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	v1 "k8s.io/api/core/v1"
-	discoveryv1 "k8s.io/api/discovery/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 )
 
@@ -43,13 +40,7 @@ func run(ctx context.Context) error {
 
 	mgr, err := controller.New(
 		ctx, *cfg,
-		[]client.Object{
-			&v1.Node{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Node"}},
-			&v1.Pod{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Pod"}},
-			&v1.Namespace{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Namespace"}},
-			&v1.Service{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Service"}},
-			&discoveryv1.EndpointSlice{TypeMeta: metav1.TypeMeta{APIVersion: "discovery.k8s.io/v1", Kind: "EndpointSlice"}},
-		},
+		types.ObjectSchemas,
 		s,
 	)
 	if err != nil {

cmd/wasm/main.go

@@ -8,13 +8,10 @@ import (
 	"syscall/js"
 
 	"github.com/iwanhae/kuview/pkg/controller"
+	"github.com/iwanhae/kuview/pkg/types"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	v1 "k8s.io/api/core/v1"
-	discoveryv1 "k8s.io/api/discovery/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/rest"
-	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 )
@@ -45,13 +42,7 @@ func run(ctx context.Context) error {
 
 	mgr, err := controller.New(
 		ctx, cfg,
-		[]client.Object{
-			&v1.Node{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Node"}},
-			&v1.Pod{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Pod"}},
-			&v1.Namespace{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Namespace"}},
-			&v1.Service{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Service"}},
-			&discoveryv1.EndpointSlice{TypeMeta: metav1.TypeMeta{APIVersion: "discovery.k8s.io/v1", Kind: "EndpointSlice"}},
-		},
+		types.ObjectSchemas,
 		emitter,
 	)
 	if err != nil {

pkg/controller/controller.go

@@ -42,7 +42,7 @@ func New(ctx context.Context, cfg rest.Config, objs []client.Object, emitter Emi
 		// Get dereferenced type of the object
 		T := reflect.TypeOf(obj).Elem()
 		c, err := controller.New(
-			fmt.Sprintf("kuview_%s", obj.GetObjectKind().GroupVersionKind().String()),
+			fmt.Sprintf("kuview_%s/%s", obj.GetObjectKind().GroupVersionKind().Group, obj.GetObjectKind().GroupVersionKind().Kind),
 			mgr, controller.Options{
 				Reconciler: &dummyReconciler{
 					T:       T,

pkg/server/event.go

@@ -44,13 +44,14 @@ func (s *Server) Emit(v *controller.Event) {
 	gvk := v.Object.GetObjectKind().GroupVersionKind()
 	namespace := v.Object.GetNamespace()
 	name := v.Object.GetName()
-	key := fmt.Sprintf("%s/%s/%s/%s", gvk.Group, gvk.Version, namespace, name)
+	key := fmt.Sprintf("%s/%s/%s/%s/%s", gvk.Group, gvk.Version, gvk.Kind, namespace, name)
 
-	if v.Type == controller.EventTypeCreate {
+	switch v.Type {
+	case controller.EventTypeCreate:
 		s.rwmu.Lock()
 		s.cache[key] = v.Object
 		s.rwmu.Unlock()
-	} else if v.Type == controller.EventTypeDelete {
+	case controller.EventTypeDelete:
 		s.rwmu.Lock()
 		delete(s.cache, key)
 		s.rwmu.Unlock()

pkg/types/const.go

@@ -0,0 +1,22 @@
+package types
+
+import (
+	v1 "k8s.io/api/core/v1"
+	discoveryv1 "k8s.io/api/discovery/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var ObjectSchemas = []client.Object{
+	&v1.Node{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Node"}},
+	&v1.Pod{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Pod"}},
+	&v1.Namespace{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Namespace"}},
+	&v1.Service{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Service"}},
+	&v1.ServiceAccount{TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "ServiceAccount"}},
+	&discoveryv1.EndpointSlice{TypeMeta: metav1.TypeMeta{APIVersion: "discovery.k8s.io/v1", Kind: "EndpointSlice"}},
+	&rbacv1.ClusterRole{TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}},
+	&rbacv1.ClusterRoleBinding{TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}},
+	&rbacv1.Role{TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"}},
+	&rbacv1.RoleBinding{TypeMeta: metav1.TypeMeta{APIVersion: "rbac.authorization.k8s.io/v1", Kind: "RoleBinding"}},
+}

src/App.tsx

@@ -9,6 +9,7 @@ import KuviewBackground from "./backgrounds/kuview";
 import Debug from "./pages/debug";
 import { PREFIX } from "./lib/const";
 import { AppSidebar } from "./components/app-sidebar";
+import UserGroupsPage from "./pages/usergroups";
 
 export default function Page() {
   return (
@@ -23,6 +24,7 @@ export default function Page() {
             <Route path={`${PREFIX}/pods`} component={Pod} />
             <Route path={`${PREFIX}/namespaces`} component={Namespace} />
             <Route path={`${PREFIX}/services`} component={Service} />
+            <Route path={`${PREFIX}/usergroups`} component={UserGroupsPage} />
             <Route path={`${PREFIX}/debug`} component={Debug} />
           </Switch>
         </div>

src/backgrounds/kuview.tsx

@@ -6,8 +6,10 @@ import {
   useKubernetesAtomSyncHook,
   useServiceEndpointSliceSyncHook,
 } from "@/lib/kuviewAtom";
+
 import { useAtomValue } from "jotai";
 import { useEffect } from "react";
+import { SyncUserGroup } from "./userGroup";
 
 interface WindowWithKuview extends Window {
   kuview: (event: KuviewEvent) => void;
@@ -70,6 +72,7 @@ function SyncKubernetes() {
         <SyncKubernetesGVK key={gvk} gvk={gvk} />
       ))}
       <SyncService />
+      <SyncUserGroup />
     </>
   );
 }

src/backgrounds/userGroup.tsx

@@ -0,0 +1,131 @@
+import { useEffect } from "react";
+import { useAtomValue, useSetAtom } from "jotai";
+import { kubernetesAtom } from "@/lib/kuviewAtom";
+import {
+  type ClusterRoleObject,
+  type RoleObject,
+  type UserGroupObject,
+  type UserGroupSpec,
+} from "@/lib/kuview";
+import { useKuview } from "@/hooks/useKuview";
+import { Status, type Condition } from "@/lib/status";
+
+// Create an virtual resource kuview.iwanhae.kr/v1/UserGroup
+export function SyncUserGroup() {
+  const r = useKuview("rbac.authorization.k8s.io/v1/Role");
+  const rb = useKuview("rbac.authorization.k8s.io/v1/RoleBinding");
+  const cr = useKuview("rbac.authorization.k8s.io/v1/ClusterRole");
+  const crb = useKuview("rbac.authorization.k8s.io/v1/ClusterRoleBinding");
+
+  const kubernetes = useAtomValue(kubernetesAtom);
+
+  const userGroupAtom = kubernetes["kuview.iwanhae.kr/v1/UserGroup"];
+  const setUserGroup = useSetAtom(userGroupAtom);
+
+  useEffect(() => {
+    const ug = new Map<string, UserGroupSpec>();
+
+    for (const binding of [...Object.values(rb), ...Object.values(crb)]) {
+      // find the role
+      let role: RoleObject | ClusterRoleObject | undefined = undefined;
+      if (binding.roleRef.kind === "Role") {
+        role =
+          r[`${binding.metadata.namespace}/${binding.roleRef.name}`] ??
+          undefined;
+      } else if (binding.roleRef.kind === "ClusterRole") {
+        role = cr[binding.roleRef.name] ?? undefined;
+      }
+
+      if (!role) {
+        continue;
+      }
+
+      // assign roles to subjects
+      for (const subject of binding.subjects || []) {
+        let name = subject.name;
+        let s: UserGroupSpec;
+        switch (subject.kind) {
+          case "User":
+            s = ug.get(name) ?? { bindings: [], roles: [], type: "User" };
+            ug.set(name, {
+              bindings: [binding, ...s.bindings],
+              roles: [role, ...s.roles],
+              type: "User",
+            });
+            break;
+          case "ServiceAccount":
+            name = `system:serviceaccount:${subject.namespace}:${subject.name}`;
+            s = ug.get(name) ?? { bindings: [], roles: [], type: "User" };
+            ug.set(name, {
+              bindings: [binding, ...s.bindings],
+              roles: [role, ...s.roles],
+              type: "User",
+            });
+            break;
+          case "Group":
+            name = `@${name}`;
+            s = ug.get(name) ?? { bindings: [], roles: [], type: "Group" };
+            ug.set(name, {
+              bindings: [binding, ...s.bindings],
+              roles: [role, ...s.roles],
+              type: "Group",
+            });
+            break;
+        }
+      }
+    }
+
+    const result: Record<string, UserGroupObject> = {};
+
+    for (const [name, spec] of ug) {
+      result[name] = {
+        kind: "UserGroup",
+        apiVersion: "kuview.iwanhae.kr/v1",
+        metadata: {
+          name,
+          uid: "",
+          resourceVersion: "",
+          creationTimestamp: "",
+        },
+        spec,
+        status: {},
+        kuviewExtra: { ...getStatus(spec.roles) },
+      };
+    }
+
+    setUserGroup(result);
+  }, [r, rb, cr, crb, setUserGroup]);
+
+  return <></>;
+}
+
+function getStatus(roles: (RoleObject | ClusterRoleObject)[]): Condition {
+  // Error: no roles
+  if (roles.length === 0) {
+    return {
+      status: Status.Error,
+      reason: "has no roles",
+    };
+  }
+
+  // Error: all roles have no rules
+  if (roles.every((role) => (role.rules ?? []).length === 0)) {
+    return {
+      status: Status.Error,
+      reason: `has ${roles.length} roles, but all of them have no rules`,
+    };
+  }
+
+  // Warn: if has ClusterRole named cluster-admin
+  if (roles.some((role) => role.metadata.name === "cluster-admin")) {
+    return {
+      status: Status.Warning,
+      reason: "has cluster-admin role, which is too powerful",
+    };
+  }
+
+  return {
+    status: Status.Running,
+    reason: `has ${roles.length} roles`,
+  };
+}