K
Q

How to debug or analyze Kubernetes RBAC rule verbs and Api Groups

1/3/2021

How can I debug all Rules with their Verbs and ApiGroups for a kubernetes ServiceAccount?

-- Matthias M
kubernetes

Similar Questions

Ingress resource does not give access to exposed services
Share nfs volume between kubernetes clusters
Kubernetes: Failed to install alpha and beta projects
Fluentd pulling logs from OpenShift, need retagging
configure Sensu to collect metrics from Prometheus; using ruby

2 Answers

1/4/2021

kubectl supports testing the RBAC rights for a particular Service Account with the auth can-i sub-command. The syntax looks as follows:

kubectl auth can-i -n --as system:serviceaccount:<namespace>:<serviceaccount> <verb> <resource>

For example:

kubectl auth can-i --as system:serviceaccount:default:my-serviceaccount create deployments

More information can be found here.

-- Fritz Duchardt
Source: StackOverflow
1/3/2021

k9s offer some nice views for this task:

1. Find Role Bindings

First you have to find the ClusterRoleBindings or RoleBindings for a ServiceAccount:

  • Type : and clusterrolebindings or rolebindings
  • Search for your ServiceAccount by / and name of ServiceAccount (e.g. monitor-kube-prometheus-st-operator)
  • Now k9s lists all (Cluster)RoleBindings enter image description here

2. Display Role Bindings

  • Open (Cluster)RoleBindings
  • All given and forbidden rules are displayed: enter image description here
-- Matthias M
Source: StackOverflow