From de3db1eec34fb0a14588cdce0601e1a544cd4f40 Mon Sep 17 00:00:00 2001
From: Cao Shufeng <caosf.fnst@cn.fujitsu.com>
Date: Sat, 22 Apr 2017 18:28:13 +0800
Subject: [PATCH] add subresource support to kube auth can-i

Eg:
    kubectl auth can-i get pods --subresource=log
---
 hack/verify-flags/known-flags.txt |  1 +
 pkg/kubectl/cmd/auth/cani.go      | 18 ++++++++++++------
 pkg/kubectl/cmd/auth/cani_test.go | 12 ++++++++++++
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt
index a52081ea25e..41197f106e8 100644
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@@ -667,6 +667,7 @@ storage-media-type
 storage-version
 storage-versions
 streaming-connection-idle-timeout
+subresource
 suicide-timeout
 sync-frequency
 system-cgroups
diff --git a/pkg/kubectl/cmd/auth/cani.go b/pkg/kubectl/cmd/auth/cani.go
index 0983318ff5c..89f7c5de28a 100644
--- a/pkg/kubectl/cmd/auth/cani.go
+++ b/pkg/kubectl/cmd/auth/cani.go
@@ -45,6 +45,7 @@ type CanIOptions struct {
 
 	Verb         string
 	Resource     schema.GroupVersionResource
+	Subresource  string
 	ResourceName string
 
 	Out io.Writer
@@ -70,7 +71,10 @@ var (
 		kubectl auth can-i '*' '*'
 
 		# Check to see if I can get the job named "bar" in namespace "foo"
-		kubectl auth can-i list jobs.batch/bar -n foo`)
+		kubectl auth can-i list jobs.batch/bar -n foo
+
+		# check to see if I can read pod logs
+		kubectl auth can-i get pods --subresource=log`)
 )
 
 func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command {
@@ -101,6 +105,7 @@ func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command {
 
 	cmd.Flags().BoolVar(&o.AllNamespaces, "all-namespaces", o.AllNamespaces, "If true, check the specified action in all namespaces.")
 	cmd.Flags().BoolVarP(&o.Quiet, "quiet", "q", o.Quiet, "If true, suppress output and just return the exit code.")
+	cmd.Flags().StringVar(&o.Subresource, "subresource", "", "SubResource such as pod/log or deployment/scale")
 	return cmd
 }
 
@@ -149,11 +154,12 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
 	sar := &authorizationapi.SelfSubjectAccessReview{
 		Spec: authorizationapi.SelfSubjectAccessReviewSpec{
 			ResourceAttributes: &authorizationapi.ResourceAttributes{
-				Namespace: o.Namespace,
-				Verb:      o.Verb,
-				Group:     o.Resource.Group,
-				Resource:  o.Resource.Resource,
-				Name:      o.ResourceName,
+				Namespace:   o.Namespace,
+				Verb:        o.Verb,
+				Group:       o.Resource.Group,
+				Resource:    o.Resource.Resource,
+				Subresource: o.Subresource,
+				Name:        o.ResourceName,
 			},
 		},
 	}
diff --git a/pkg/kubectl/cmd/auth/cani_test.go b/pkg/kubectl/cmd/auth/cani_test.go
index 6c1bde3ed93..52940efd077 100644
--- a/pkg/kubectl/cmd/auth/cani_test.go
+++ b/pkg/kubectl/cmd/auth/cani_test.go
@@ -92,6 +92,18 @@ func TestRunAccessCheck(t *testing.T) {
 				`{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`,
 			},
 		},
+		{
+			name: "sub resource",
+			o: &CanIOptions{
+				AllNamespaces: true,
+				Subresource:   "log",
+			},
+			args:    []string{"get", "pods"},
+			allowed: true,
+			expectedBodyStrings: []string{
+				`{"resourceAttributes":{"verb":"get","resource":"pods","subresource":"log"}}`,
+			},
+		},
 	}
 
 	for _, test := range tests {