Untitled

check_permissions() {
    log "Checking cluster permissions..."
    local has_issues=0

    # Get current user info
    local current_user=$(kubectl config view --minify --output 'jsonpath={..user.username}')
    log "Current user context: $current_user"

    # Check cluster-level permissions
    log "Checking cluster-level permissions..."
    local CLUSTER_RESOURCES=("nodes" "namespaces" "clusterroles" "clusterrolebindings" "persistentvolumes")
    for resource in "${CLUSTER_RESOURCES[@]}"; do
        if kubectl auth can-i get "$resource" &>/dev/null; then
            log "✓ Can access $resource"
        else
            log "✗ Cannot access $resource"
        fi
    done

    # Check RunAI CRDs existence and permissions
    log "Checking RunAI custom resource permissions..."
    local RUNAI_RESOURCES=("projects.run.ai" "departments.run.ai" "trainingworkloads.run.ai" "inferenceworkloads.run.ai")
    local runai_permission_found=false
    
    for resource in "${RUNAI_RESOURCES[@]}"; do
        local can_get=false
        local can_create=false
        local can_delete=false

        if kubectl auth can-i get "$resource" -n "$NAMESPACE" &>/dev/null; then
            can_get=true
            runai_permission_found=true
        fi
        if kubectl auth can-i create "$resource" -n "$NAMESPACE" &>/dev/null; then
            can_create=true
            runai_permission_found=true
        fi
        if kubectl auth can-i delete "$resource" -n "$NAMESPACE" &>/dev/null; then
            can_delete=true
            runai_permission_found=true
        fi

        log "Resource: $resource"
        log "  - Get: $([ "$can_get" = true ] && echo "✓" || echo "✗")"
        log "  - Create: $([ "$can_create" = true ] && echo "✓" || echo "✗")"
        log "  - Delete: $([ "$can_delete" = true ] && echo "✓" || echo "✗")"
    done

    if ! $runai_permission_found; then
        log "WARNING: No RunAI resource permissions found"
        has_issues=1
    fi

    # Check namespace-level permissions
    log "Checking namespace-level permissions in $NAMESPACE..."
    local NS_RESOURCES=("pods" "deployments" "services" "configmaps" "secrets")
    local ns_permission_found=false
    
    for resource in "${NS_RESOURCES[@]}"; do
        if kubectl auth can-i create "$resource" -n "$NAMESPACE" &>/dev/null; then
            log "✓ Can manage $resource"
            ns_permission_found=true
        else
            log "✗ Cannot manage $resource"
        fi
    done

    if ! $ns_permission_found; then
        log "WARNING: No namespace-level permissions found"
        has_issues=1
    fi

    # Check RBAC permissions
    log "Checking RBAC permissions..."
    local RBAC_RESOURCES=("roles" "rolebindings")
    local has_rbac_permissions=false
    
    for resource in "${RBAC_RESOURCES[@]}"; do
        if kubectl auth can-i create "$resource" -n "$NAMESPACE" &>/dev/null; then
            log "✓ Can manage $resource"
            has_rbac_permissions=true
        else
            log "✗ Cannot manage $resource"
        fi
    done

    if ! $has_rbac_permissions; then
        log "WARNING: No RBAC management permissions found"
        has_issues=1
    fi

    # List current role bindings
    log "Current role bindings for $current_user:"
    kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep -i "$current_user" || log "No role bindings found"

    return $has_issues
}