From 3f164cbaf3f9ca91cb73fb4f85b9fc9b20380f2e Mon Sep 17 00:00:00 2001
From: lhan <lhan@iij.ad.jp>
Date: Thu, 13 Aug 2020 15:25:37 +0900
Subject: [PATCH 1/3] kind:group will not always have namespaced roles

---
 cmd/cmd.go | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/cmd/cmd.go b/cmd/cmd.go
index 931cdd1..1d697fd 100644
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -108,6 +108,7 @@ func (o *Option) Run() error {
 		Name: o.SubjectName,
 		Kind: o.SubjectKind,
 	}
+	namespaced := false
 	if sub.Kind == subject.KindSA {
 		k8sCfg := o.f.ToRawKubeConfigLoader()
 		ns, _, err := k8sCfg.Namespace()
@@ -115,6 +116,7 @@ func (o *Option) Run() error {
 			return err
 		}
 		sub.Namespace = ns
+		namespaced = true
 	}
 
 	client, err := o.f.KubernetesClientSet()
@@ -123,9 +125,12 @@ func (o *Option) Run() error {
 	}
 
 	exp := explorer.NewPolicyExplorer(client)
-	nsp, err := exp.NamespacedSbjRoles(sub)
-	if err != nil {
-		return err
+	var nsp []*explorer.SubjectRole
+	if namespaced {
+		nsp, err = exp.NamespacedSbjRoles(sub)
+		if err != nil {
+			return err
+		}
 	}
 	clusterp, err := exp.ClusterSbjRoles(sub)
 	if err != nil {
@@ -151,8 +156,10 @@ func (o *Option) Run() error {
 
 	pp.BlankLine()
 	pp.PrintHeader("Policies")
-	pp.PrintPolicies(nsp)
-	pp.BlankLine()
+	if namespaced {
+		pp.PrintPolicies(nsp)
+		pp.BlankLine()
+	}
 	pp.PrintPolicies(clusterp)
 
 	return nil

From 380bf00de1aabaef6373284cbf7b56398d86523c Mon Sep 17 00:00:00 2001
From: lhan <lhan@iij.ad.jp>
Date: Thu, 13 Aug 2020 17:05:52 +0900
Subject: [PATCH 2/3] add test

---
 clean.sh | 10 ++++++++++
 test.sh  | 19 ++++++++++++++++---
 2 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100755 clean.sh

diff --git a/clean.sh b/clean.sh
new file mode 100755
index 0000000..5764dee
--- /dev/null
+++ b/clean.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -eu
+
+echo; echo "Clean up..."
+kubectl delete sa test-user
+kubectl delete psp test-psp
+kubectl delete role test-role
+kubectl delete rolebinding test
+kubectl delete clusterrolebinding test
+kubectl delete rolebinding test-group
+kubectl delete clusterrolebinding test-group
diff --git a/test.sh b/test.sh
index 35bdc44..1353e64 100755
--- a/test.sh
+++ b/test.sh
@@ -1,7 +1,7 @@
 #!/bin/bash -eu
 
 echo; echo "Creating ServiceAccount..."
-kubectl create sa test-user
+kubectl create sa test-user --dry-run -o yaml | kubectl apply -f -
 
 echo; echo "Creating PSP..."
 cat <<EOF | kubectl apply -f -
@@ -54,10 +54,23 @@ EOF
 echo; echo "Binding Role..."
 kubectl create rolebinding test \
         --role=test-role \
-        --serviceaccount=default:test-user
+        --serviceaccount=default:test-user --dry-run -o yaml | kubectl apply -f -
 
 echo; echo "Binding ClusterRole..."
-kubectl create clusterrolebinding test --clusterrole edit --serviceaccount default:test-user
+kubectl create clusterrolebinding test --clusterrole edit --serviceaccount default:test-user --dry-run -o yaml | kubectl apply -f -
+
+echo; echo "Binding Role[Group]..."
+kubectl create rolebinding test-group \
+        --role=test-role \
+        --group developer --dry-run -o yaml | kubectl apply -f -
+
+echo; echo "Binding ClusterRole[Group]..."
+kubectl create clusterrolebinding test-group --clusterrole edit --group developer --dry-run -o yaml | kubectl apply -f -
 
 echo; echo "Test..."
 ./_output/kubectl-rolesum test-user
+
+echo; echo "Test[Group]..."
+./_output/kubectl-rolesum -k Group developer
+
+./clean.sh

From 0b1d063d83725b7fbeb8922286a4002c06da8d58 Mon Sep 17 00:00:00 2001
From: lhan <lhan@iij.ad.jp>
Date: Fri, 14 Aug 2020 09:41:31 +0900
Subject: [PATCH 3/3] fix dry-run deprecation

---
 test.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/test.sh b/test.sh
index 1353e64..54319c4 100755
--- a/test.sh
+++ b/test.sh
@@ -1,7 +1,7 @@
 #!/bin/bash -eu
 
 echo; echo "Creating ServiceAccount..."
-kubectl create sa test-user --dry-run -o yaml | kubectl apply -f -
+kubectl create sa test-user --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Creating PSP..."
 cat <<EOF | kubectl apply -f -
@@ -54,18 +54,18 @@ EOF
 echo; echo "Binding Role..."
 kubectl create rolebinding test \
         --role=test-role \
-        --serviceaccount=default:test-user --dry-run -o yaml | kubectl apply -f -
+        --serviceaccount=default:test-user --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Binding ClusterRole..."
-kubectl create clusterrolebinding test --clusterrole edit --serviceaccount default:test-user --dry-run -o yaml | kubectl apply -f -
+kubectl create clusterrolebinding test --clusterrole edit --serviceaccount default:test-user --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Binding Role[Group]..."
 kubectl create rolebinding test-group \
         --role=test-role \
-        --group developer --dry-run -o yaml | kubectl apply -f -
+        --group developer --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Binding ClusterRole[Group]..."
-kubectl create clusterrolebinding test-group --clusterrole edit --group developer --dry-run -o yaml | kubectl apply -f -
+kubectl create clusterrolebinding test-group --clusterrole edit --group developer --dry-run=client -o yaml | kubectl apply -f -
 
 echo; echo "Test..."
 ./_output/kubectl-rolesum test-user