Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on a k8s Role:
type k8sRole {
id: String
context: String
apiVersion: String
kind: String
metadata {
id: String
annotations: {
id: String!
key: String
value: String
}
clusterName: String
creationTimestamp: String
deletionGracePeriodSeconds: Int
deletionTimestamp: String
finalizers: [String]
generateName: String
generation: Int
labels: {
id: String!
key: String
value: String
}
ownerReferences: {
id: String!
apiVersion: String
blockOwnerDeletion: Boolean
controller: Boolean
kind: String
name: String
}
name: String
namespace: String
resourceVersion: String
selfLink: String
}
rules {
id: String
apiGroups: [String]
nonResourceUrls: [String]
resources: [String]
resourceNames: [String]
verbs: [String]
}
namespace {
id
}
}
Get data for a single role that you know the id for:
query {
getk8sRole(id: "12345") {
id
}
}
Get data for all of the roles in a certain k8s Context:
query {
queryk8sRole(filter: { context: { eq: "my-context-name" } }) {
id
}
}
Get data for all of the roles NOT in a certain k8s Context:
query {
queryk8sRole(filter: { not: { context: { eq: "my-context-name" } } }) {
id
}
}
Get data for all of the roles that have a namespace:
query {
queryk8sRole(filter: { has: namespace }) {
id
}
}
Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the roles that have a namespace AND rules OR that do not have apiVersion. Note that you can use has, and, not, or completely independently of each other:
query {
queryk8sSecret(
filter: {
has: namespace
and: { has: rules }
or: { not: { has: apiVersion } }
}
) {
id
}
}
You may also filter using a regex when filtering on a string field like, context if you want to look for a value that matches say, some-value (case insensitive):
query {
queryk8sRole(
filter: { context: { regexp: "/.*some-value*./i" } }
) {
id
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
queryk8sRole(order: { desc: apiVersion }) {
type
}
}
Only select and return the first two roles that are found:
query {
queryk8sSecret(first: 2, order: { desc: context }) {
context
}
}
Only select and return the first two roles that are found, but offset by one so roles two & three are returned:
query {
queryk8sRole(first: 2, order: { desc: context }, offset: 1) {
id
}
}
Count the number of roles across all scanned K8s contexts:
query {
aggregatek8sRole {
count
}
}
Count the number of roles in a single context. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregatek8sRole(filter: { context: { eq: "my-context-name" } }) {
count
}
}
Putting it all together; get all data for all roles across all k8s contexts in a single query. For the purposes of this example we will only get direct children of the role but if you want to it's easy to go from say, role -> namespace -> job ...etc:
query {
queryk8sRole {
id
context
apiVersion
kind
metadata {
id
annotations {
id
key
value
}
clusterName
creationTimestamp
deletionGracePeriodSeconds
deletionTimestamp
finalizers
generateName
generation
labels {
id
key
value
}
ownerReferences {
id
apiVersion
blockOwnerDeletion
controller
kind
name
}
name
namespace
resourceVersion
selfLink
}
rules {
id
apiGroups
nonResourceUrls
resources
resourceNames
verbs
}
namespace {
id
context
apiVersion
kind
metadata {
id
annotations {
id
key
value
}
clusterName
creationTimestamp
deletionGracePeriodSeconds
deletionTimestamp
finalizers
generateName
generation
labels {
id
key
value
}
ownerReferences {
id
apiVersion
blockOwnerDeletion
controller
kind
name
}
name
namespace
resourceVersion
selfLink
}
spec {
finalizers
}
status {
phase
conditions {
id
lastHeartbeatTime
lastTransitionTime
message
reason
status
type
}
}
networkPolicies {
id
}
nodes {
id
}
pods {
id
}
deployments {
id
}
ingresses {
id
}
secrets {
id
}
services {
id
}
serviceAccounts {
id
}
storageClasses {
id
}
persistentVolumes {
id
}
persistentVolumeClaims {
id
}
roles {
id
}
jobs {
id
}
cronJobs {
id
}
}
}
}
