website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by archbee 

Role

15min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes and connections on a k8s Role:

GraphQL
|
type k8sRole {
  id: String
  context: String
  apiVersion: String
  kind: String
  metadata {
    id: String
    annotations: {
      id: String!
      key: String
      value: String
    }
    clusterName: String
    creationTimestamp: String
    deletionGracePeriodSeconds: Int
    deletionTimestamp: String
    finalizers: [String]
    generateName: String
    generation: Int
    labels: {
      id: String!
      key: String
      value: String
    }
    ownerReferences: {
      id: String!
      apiVersion: String
      blockOwnerDeletion: Boolean
      controller: Boolean
      kind: String
      name: String
    }
    name: String
    namespace: String
    resourceVersion: String
    selfLink: String
  }
  rules {
    id: String
    apiGroups: [String]
    nonResourceUrls: [String]
    resources: [String]
    resourceNames: [String]
    verbs: [String]
  }
  namespace {
    id
    # Other namespace fields
  }
}


Filtering

Get data for a single role that you know the id for:

GraphQL
|
query {
  getk8sRole(id: "12345") {
    id
    # Other fields and connections here...
  }
}


Get data for all of the roles in a certain k8s Context:

GraphQL
|
query {
  queryk8sRole(filter: { context: { eq: "my-context-name" } }) {
    id
    # Other fields and connections here...
  }
}


Get data for all of the roles NOT in a certain k8s Context:

GraphQL
|
query {
  queryk8sRole(filter: { not: { context: { eq: "my-context-name" } } }) {
    id
    # Other fields and connections here...
  }
}




Advanced Filtering

Get data for all of the roles that have a namespace:

GraphQL
|
query {
  queryk8sRole(filter: { has: namespace }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "namespace" you can filter
# Using "has" based on any of the following attributes:

# apiVersion
# kind
# metadata
# rules


Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the roles that have a namespace AND rules OR that do not have apiVersion. Note that you can use has, and, not, or completely independently of each other:

GraphQL
|
query {
  queryk8sSecret(
    filter: {
      has: namespace
      and: { has: rules }
      or: { not: { has: apiVersion } }
    }
  ) {
    id
    # Other fields and connections here...
  }
}


You may also filter using a regex when filtering on a string field like, context if you want to look for a value that matches say, some-value (case insensitive):

GraphQL
|
query {
  queryk8sRole(
    filter: { context: { regexp: "/.*some-value*./i" } }
  ) {
    id
    # Other fields and connections here...
  }
}


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  queryk8sRole(order: { desc: apiVersion }) {
    type
    # Other fields and connections here...
  }
}

# Note that in addition to "type" you can filter
# Using "asc" or "desc" based on any of the following attributes:

# id
# kind
# context


Only select and return the first two roles that are found:

GraphQL
|
query {
  queryk8sSecret(first: 2, order: { desc: context }) {
    context
    # Other fields and connections here...
  }
}


Only select and return the first two roles that are found, but offset by one so roles two & three are returned:

GraphQL
|
query {
  queryk8sRole(first: 2, order: { desc: context }, offset: 1) {
    id
    # Other fields and connections here...
  }
}


Aggregation

Count the number of roles across all scanned K8s contexts:

GraphQL
|
query {
  aggregatek8sRole {
    count
    # Other fields and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your Namespaces:

# idMin
# idMax
# contextMin
# contextMax
# kindMin
# kindMax
# apiVersionMin
# apiVersionMax


Count the number of roles in a single context. Note that you can apply all of the same filters that are listed above to aggregate queries:

GraphQL
|
query {
  aggregatek8sRole(filter: { context: { eq: "my-context-name" } }) {
    count
    # Other fields and connections here...
  }
}


Kitchen Sink

Putting it all together; get all data for all roles across all k8s contexts in a single query. For the purposes of this example we will only get direct children of the role but if you want to it's easy to go from say, role -> namespace -> job ...etc:

GraphQL
|
query {
  queryk8sRole {
    id
    context
    apiVersion
    kind
    metadata {
      id
      annotations {
        id
        key
        value
      }
      clusterName
      creationTimestamp
      deletionGracePeriodSeconds
      deletionTimestamp
      finalizers
      generateName
      generation
      labels {
        id
        key
        value
      }
      ownerReferences {
        id
        apiVersion
        blockOwnerDeletion
        controller
        kind
        name
      }
      name
      namespace
      resourceVersion
      selfLink
    }
    rules {
      id
      apiGroups
      nonResourceUrls
      resources
      resourceNames
      verbs
    }
    namespace {
      id
      context
      apiVersion
      kind
      metadata {
        id
        annotations {
          id
          key
          value
        }
        clusterName
        creationTimestamp
        deletionGracePeriodSeconds
        deletionTimestamp
        finalizers
        generateName
        generation
        labels {
          id
          key
          value
        }
        ownerReferences {
          id
          apiVersion
          blockOwnerDeletion
          controller
          kind
          name
        }
        name
        namespace
        resourceVersion
        selfLink
      }
      spec {
        finalizers
      }
      status {
        phase
        conditions {
          id
          lastHeartbeatTime
          lastTransitionTime
          message
          reason
          status
          type
        }
      }
      networkPolicies {
          id
          # any networkPolicy properties
      }
      nodes {
          id
          # any node properties
      }
      pods {
          id
          # any pod properties
      }
      deployments {
          id
          # any deployment properties
      }
      ingresses {
          id
          # any ingress properties
      }
      secrets {
          id
          # any secret properties
      }
      services {
          id
          # any service properties
      }
      serviceAccounts {
          id
          # any serviceAccount properties
      }
      storageClasses {
          id
          # any storageClass properties
      }
      persistentVolumes {
          id
          # any persistentVolume properties
      }
      persistentVolumeClaims {
          id
          # any persistentVolumeCalim properties
      }
      roles {
          id
          # any role properties
      }
      jobs {
          id
          # any job properties
      }
      cronJobs {
          id
          # any cronJob properties
      }
    }
  }
}


References

Dgraph documentation on querying

K8s Role Documentation

Updated 03 Mar 2023
Did this page help you?
Yes
No
PREVIOUS
Pod
NEXT
Secret
Docs powered by archbee 
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Kitchen Sink
References