I want to display the allowed permissions for users and service accounts in my Kubernetes cluster. To achive this, I use the kubectl auth can-i --list --namespace=default --as=<user> command.
However, for any user, except my current docker-desktop user, it displays the same set of permissions:
$ kubectl auth can-i --list --namespace=default --as='foo'
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
$ kubectl auth can-i --list --namespace=default --as='bar'
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]This is true both for existing service accounts, specified as system:serviceaccount:<namespace>:<serviceaccount> as well as non-existing user accounts, like foo and bar (see above).
What can be the issue?
This is a weird caveat of using this command.It does not error out but fallback to show same permission for nonexistent user/service accounts and existing service accounts/users which does not have any permission.