Improve limited permissions (cherry-picked from #220) (#238)

* Add --as option to impersonate a specific user

* Update test case

* Don't exit if the user lacks permissions to auto-discover prometheus

* Add a comment

* Add support for HPA w/o cluster-level permissions

* feat: cli option for --as-group (#224)

* feat: cli option for --as-group

* add: as-group example

* Improve a message in case of API error

* Return the debug log with found items in cluster

---------

Co-authored-by: Robusta Runner <aantny@gmail.com>
Co-authored-by: Rohan Katkar <rohan.katkar@dnv.com>
Co-authored-by: LeaveMyYard <zhukovpave2001@gmail.com>

2 files changed, 80 insertions, 0 deletions

diff --git a/tests/single_namespace_as_group.yaml b/tests/single_namespace_as_group.yaml
new file mode 100644
index 0000000..16f0805
--- /dev/null
+++ b/tests/single_namespace_as_group.yaml
@@ -0,0 +1,38 @@
+# Test environment for per-namespace scans using a group object ID (for e.g. Microsoft Entra)
+# The purpose of this setup is to verify that per-namespace features work without cluster level permissions
+# You can test this Group and KRR using:
+# A user named aksdev that's part of the appdev group.
+# krr simple --as aksdev --as-group <appdev-groupID> -n kube-system
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: kube-system
+  name: krr-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["autoscaling"]
+  resources: ["horizontalpodautoscalers"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: krr-role-binding
+  namespace: kube-system
+subjects:
+- kind: Group
+  # Replace <appdev-groupID> with the actual Group Object ID
+  name: <appdev-groupID>
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: krr-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/tests/single_namespace_permissions.yaml b/tests/single_namespace_permissions.yaml
new file mode 100644
index 0000000..f6e324d
--- /dev/null
+++ b/tests/single_namespace_permissions.yaml
@@ -0,0 +1,42 @@
+# Test environment for per-namespace scans
+# The purpose of this setup is to verify that per-namespace features work without cluster level permissions
+# You can test this ServiceAccount and KRR using:
+#   krr simple --as system:serviceaccount:kube-system:krr-account -n kube-system
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: krr-account
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: kube-system
+  name: krr-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["autoscaling"]
+  resources: ["horizontalpodautoscalers"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: krr-role-binding
+  namespace: kube-system
+subjects:
+- kind: ServiceAccount
+  name: krr-account
+  namespace: kube-system
+roleRef:
+  kind: Role
+  name: krr-role
+  apiGroup: rbac.authorization.k8s.io