How to view the permissions/roles associated with a specific service account in k8s?
I tried with the kubectl get sa default command, but only see some very basic values. What's the command to view the permissions/roles associated with a specific service account in k8s?
Similar Questions
4 Answers
kubectl get rolebindings,clusterrolebindings \
--all-namespaces \
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name'you can try this command to generate a table to show the mapping
Get the Role name which bound to the serviceaccount default using the following command. kubectl get rolebinding --output=yaml or kubectl get clusterrolebinding --output=yaml
Now get the role config using kubectl get role rolenamefrompreviouscommands
The following command could help. It basically gets the RoleBindings and ClusterRoleBindings which .subjects[0] is the name of the ServiceAccount.
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="SERVICE_ACCOUNT_NAME")]}[{.roleRef.kind},{.roleRef.name}]{end}'Note: it will not list the RoleBindings / ClusterRoleBindings which contain several objects in the subject field
For instance, if weave-net is deployed as the network plugin, you can get the Role and ClusterRole used by the weave-net ServiceAccount:
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="weave-net")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,weave-net][ClusterRole,weave-net]
Hope this helps.
In Kubernetes, service account is mapped to privileges (cluster level or namespace level) using ClusterRoleBinding object. You need to lookup the RoleBinding or ClusterRoleBinding object and then look up the Role or ClusterRole object to see what privileges it has in the cluster.