Matthias M
Reputation: 14930
How to debug or analyze Kubernetes RBAC rule verbs and Api Groups
How can I debug all Rules with their Verbs and ApiGroups for a kubernetes ServiceAccount?
Upvotes: 3
Views: 1553
Answers (2)
Fritz Duchardt
Reputation: 11930
kubectl supports testing the RBAC rights for a particular Service Account with the auth can-i sub-command. The syntax looks as follows:
kubectl auth can-i -n --as system:serviceaccount:<namespace>:<serviceaccount> <verb> <resource>
For example:
kubectl auth can-i --as system:serviceaccount:default:my-serviceaccount create deployments
More information can be found here.
Upvotes: 4
Matthias M
Reputation: 14930
k9s offer some nice views for this task:
1. Find Role Bindings
First you have to find the ClusterRoleBindings or RoleBindings for a ServiceAccount:
- Type
:andclusterrolebindingsorrolebindings - Search for your ServiceAccount by
/and name of ServiceAccount (e.g.monitor-kube-prometheus-st-operator) - Now k9s lists all
(Cluster)RoleBindings
2. Display Role Bindings
- Open
(Cluster)RoleBindings - All given and forbidden rules are displayed:
Upvotes: 4
Related Questions
- RBAC rules not working in cluster with Kubeadm
- List of Kubernetes RBAC rule verbs
- kubernetes RBAC role verbs to exec to pod
- What apiGroups and resources exist for RBAC rules in kubernetes?
- Any docs on what rights need to be given to do a thing on kubernetes?
- Kubernetes rbac users audit logging
- kubernetes system:discovery role mechanism
- Rbac rules with Kubebuilder
- How to work with RBAC in Kubernetes
- How to debug ABAC to RBAC transition in a GKE kubernetes cluster?