K
Q

how to check whether RBAC is enabled, using kubectl

7/9/2018

I'm trying to install a helm package on a kubernetes cluster which allegedly has RBAC disabled. I'm getting a permission error mentioning clusterroles.rbac.authorization.k8s.io, which is what I'd expect if RBAC was enabled.

Is there a way to check with kubectl whether RBAC really is disabled?

What I've tried:

  • kubectl describe nodes --all-namespaces | grep -i rbac : nothing comes up
  • kubectl describe rbac --all-namespaces | grep -i rbac : nothing comes up
  • kubectl config get-contexts | grep -i rbac : nothing comes up
  • k get clusterroles it says "No resources found", not an error message. So does that mean that RBAC is enabled?
  • kuebctl describe cluster isn't a thing

I'm aware that maybe this is the x-y problem because it's possible the helm package I'm installing is expecting RBAC to be enabled. But still, I'd like to know how to check whether or not it is enabled/disabled.

-- falsePockets
kubectl
kubernetes
rbac

Similar Questions

OpenShift / Kubernetes explanation for each of the template fields
Kubernetes Continuous deployment stage in Gitlab Online fails
presto - moving worker from docker to kubernetes
python FileNotFoundError: [Errno 2] with absolute path and file exists
My app is not accessible, is my service definition wrong?
Running a bash script using a Kubenetes Service
K8s Game Servers: Dynamically forward TCP & UDP for Pods via Service/Ingress
How to autoscale elastic search in kubernates based on load?

6 Answers

11/7/2018

You can check this by executing the command kubectl api-versions; if RBAC is enabled you should see the API version .rbac.authorization.k8s.io/v1.

In AKS, the best way is to check the cluster's resource details at resources.azure.com. If you can spot "enableRBAC": true, your cluster has RBAC enabled. Please note that existing non-RBAC enabled AKS clusters cannot currently be updated for RBAC use. (thanks @DennisAmeling for the clarification)

-- danielepolencic
Source: StackOverflow
7/9/2018

I wish there was a better way but what I use is:

$ kubectl cluster-info dump | grep authorization-mode

If you can execute it you should either see RBAC listed there or not, and if you don't have the permissions to do it, well, chances are that RBAC is enabled.

-- Michael Hausenblas
Source: StackOverflow
12/30/2018

For Azure (AKS) this is a bit more tricky. While the kubectl api-versions command indeed returns rbac.authorization.k8s.io/v1, the kubectl get clusterroles command doesn't return the default system: prefixed roles.

The best way to check for AKS is to check the cluster's resource details, e.g. at resources.azure.com. If "enableRBAC": true, your cluster has RBAC enabled. Existing non-RBAC enabled AKS clusters cannot currently be updated for RBAC use. So if you want to enable RBAC on AKS, you'll have to create a new cluster.

-- Dennis Ameling
Source: StackOverflow
4/3/2019

For Azure (AKS) I think Azure CLI works well.

az resource show -g <resource group name> -n <cluster name> --resource-type Microsoft.ContainerService/ManagedClusters --query properties.enableRBAC

It is basically the same thing as using resources.azure.com, but I find it quicker to use the Azure CLI

-- Olav Nybø
Source: StackOverflow
7/9/2018

Option #1: If you have access to master node then login into and check below

ps -aef | grep -i apiserver
The options should have --authorization-mode=RBAC otherwise RBAC not enabled.

Option #2:

kubectl get clusterroles | grep -i rbac

Hope this helps

Rgds Sudhakar

-- Sudhakar MNSR
Source: StackOverflow
9/13/2018

ps -aef | grep -i apiserver is the easiest way to find out.

-- devops84uk
Source: StackOverflow