Synthetic Property Filters
Kubevious produces synthetic properties by joining multiple configurations from Kubernetes to improve overall Kubernetes usability. Such synthetic properties can be accessed inside target and rule scripts. One good example is the Resource Role Matrix on Service Account item, which combines permissions across relevant (Cluster) Role Bindings and (Cluster) Roles.
The target script below selects applications that request permission to access Kubernetes secrets. Because Service Accounts are directly underneath Applications, the children function can be used instead of descendants.
select('Application')
.filter(({item}) => {
for(var svcAccount of item.children('Service Account'))
{
var roleMatrix = svcAccount.getProperties('resource-role-matrix');
for(var row of roleMatrix.rows)
{
if (row.resource == 'secrets')
{
return true;
}
}
}
return false;
})
The targets of the script above are Application items, meaning that errors, warnings, or markers would be applied on Application items. We could rewrite the script to target Service Accounts instead. The script can be as complex as it needs to be to validate criteria such as verbs used (get, update, delete, etc.), namespace, and name.
select('Service Account')
.filter(({item}) => {
var roleMatrix = item.getProperties('resource-role-matrix');
for(var row of roleMatrix.rows)
{
if (row.resource == 'secrets')
{
return true;
}
}
return false;
})