domino_admin_toolkit.checks.test_coredns_clusterrole module

pydantic model domino_admin_toolkit.checks.test_coredns_clusterrole.CoreDNSClusterRoleAnalyzer

Bases: AnalyzerBase

Validates the CoreDNS ClusterRole meets required resources and verbs

Fields:
field expected_resources: list [Optional]

Expected resources for CoreDNS ClusterRole

field expected_verbs: list [Optional]

Expected verbs for CoreDNS ClusterRole

analyze(data)

Core analysis logic

Return type:

list[CheckResult]

name: ClassVar[str] = 'CoreDNSClusterRoleAnalyzer'
domino_admin_toolkit.checks.test_coredns_clusterrole.coredns_clusterrole()

Retrieves the CoreDNS ClusterRole from Kubernetes

domino_admin_toolkit.checks.test_coredns_clusterrole.test_coredns_clusterrole(coredns_clusterrole)
Description:

Verifies that CoreDNS cluster roles have expected resources and verbs defined.

Failure Conditions:

  • Missing resources in the CoreDNS cluster role definition

  • Missing verbs in the CoreDNS cluster role definition

Troubleshooting Steps:
  1. Verify that all required resources (services, namespaces, endpoints, pods)

    are correctly defined in the CoreDNS policy - Check kubectl get clusterroles –output - Look for policies with apiGroups: [“”] and ensure they include expected resources

  2. Confirm verbs (list, watch) are present in each resource definition within the CoreDNS cluster role

    • Inspect specific resource definitions using kubectl get clusterrole <name> –output json

  3. Ensure no unexpected resources or verbs are added to the policy

Resolution Steps:

  1. Add missing resources to the CoreDNS cluster role definition using kubectl:

  2. Add missing verbs to each resource in the CoreDNS cluster role definition if required

  3. If issues persist, check Kubernetes authentication and authorization logs for discrepancies

Required Permissions:

  • Read access to Kubernetes RBAC resources (ClusterRole, ClusterRoleBinding)

  • Execute kubectl commands to inspect and modify cluster role definitions