I’m working on an application which interacts with K8s, and tries to make the operations our users are performing as simple and straightforward as possible. We want to disable actions the user can’t perform so they don’t waste their time trying, and they understand why they can’t perform the action.

In our application, when creating certain custom resources, it’s not enough to just have create permission on a single resource, but often requires create permission on multiple resources. (Whether or not that is the best option is not for this topic :slight_smile: ).

We’ve been using SelfSubjectRulesReview based on the documentation:

SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions.

However, some folks have recently become concerned by our use of this API, because there is also documentation (same page) which states:

This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation.

FWIW, we’re exclusively using the RBAC authorizer.

So, the documentation seems to be self-contradictory – if the answer is not complete, then it doesn’t seem appropriate for use in a UI.

The concern is that this API is not meant to return the complete set of permissions a user has (because of the documentation around being “incomplete”), and could result in us thinking the user doesn’t have some permission when they actually do. Or, if the API happens to give us a complete answer now, a future update to K8s may no longer return the full set of results.

What we’ve actually seen, though, is that the list returned by SelfSubjectRulesReview may have multiple results for a given resource (if, for example, the user has been bound to multiple roles which all affect that resource), and that if we make sure to iterate and take the union of all the results, we will get the right answer.

The alternative would be to use the SubjectAccessReview API instead, although that would require making numerous API calls to get back everything we need.

We’re looking for a definitive answer as to whether or not the SelfSubjectRulesReview API can be relied upon for our scenario.