Currently, I have an ABAC policy that gives "system:autheticated" all access. K8s starts up fine when I have this defined, but if I remove it, K8s doesn't start up. I'm trying to find out what namespaces, service accounts, groups, users, etcs are being used on my K8s cluster so I can define a specific set of users/groups in the ABAC policy.
How can I get the groups and users in the K8s cluster? I'm using "kubectl --namespace=kube-system get serviceaccounts" to get the serviceaccounts... but where are the groups and users defined?
For Groups you might try (example for "system:masters"):
kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.subjects[0].kind=="Group") | select(.subjects[0].name=="system:masters") | .metadata.name'Also, you can read all the namespaces at once adding --all-namespaces=true inside the kubectl command.
You should also check all local files for policies that might be applied.
Here is Kubernetes documentation regarding Using ABAC Authorization
As for users, I was only able to find a way of checking if a particular user is able, for example, to create a deployment in a namespace:
$ kubectl auth can-i create deployments --namespace dev
yes
$ kubectl auth can-i create deployments --namespace prod
no