How to check existing users and groups in kubernetes cluster?

7/18/2021

We can check the service accounts in Kubernetes Cluster. Likewise, Is it possible to check the existing users and groups of my Kubernetes cluster with Cluster Admin privileges. If yes then how ? If no then why ?

NOTE: I am using EKS

-- Aman
amazon-eks
kubernetes

1 Answer

7/20/2021

Posting this as a community wiki, feel free to edit and expand.


This won't answer everything, however there are some concepts and ideas.

In short words there's no easy way. It's not possible to do using kubernetes itself. Reason for this is:

All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users.

It is assumed that a cluster-independent service manages normal users in the following ways:

  • an administrator distributing private keys
  • a user store like Keystone or Google Accounts
  • a file with a list of usernames and passwords

In this regard, Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.

Source

More details and examples from another answer on SO


As for EKS part which is mentioned, it should be done using AWS IAM in connection to kubernetes RBAC. Below articles about setting up IAM roles in kubernetes cluster. Same way it will be possible to find which role has cluster admin permissions:

If another tool is used for identity managing, it should be used (e.g. LDAP)

-- moonkotte
Source: StackOverflow