I tried with the kubectl get sa default command, but only see some very basic values. What's the command to view the permissions/roles associated with a specific service account in k8s?
Asked
Active
Viewed 5.2k times
38
injoy
- 3,993
- 10
- 40
- 69
6 Answers
28
The following command could help. It basically gets the RoleBindings and ClusterRoleBindings which .subjects[0] is the name of the ServiceAccount.
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="SERVICE_ACCOUNT_NAME")]}[{.roleRef.kind},{.roleRef.name}]{end}'
Note: it will not list the RoleBindings / ClusterRoleBindings which contain several objects in the subject field
For instance, if weave-net is deployed as the network plugin, you can get the Role and ClusterRole used by the weave-net ServiceAccount:
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="weave-net")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,weave-net][ClusterRole,weave-net]
Hope this helps.
Luc
- 16,604
- 34
- 121
- 183
-
1This is really great! Thanks for this. – Ali Tou Oct 14 '21 at 08:38
26
kubectl get rolebindings,clusterrolebindings \
--all-namespaces \
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name'
you can try this command to generate a table to show the mapping
Andy Wong
- 3,676
- 1
- 21
- 18
-
6Or just use `kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide` Then grep for the name of your service account – Tom Ferguson Feb 04 '21 at 16:11
9
The issue with all the answers above is that they rely on you doing additional legwork to then compile all of the RoleBindings and/or ClusterRoleBindings and any duplicate policies that are granted by them into one master list you can reference for a given user/group/serviceaccount.
After a good deal of searching, I found rbac-tool.
Lookup Bindings
Use the lookup command to see all Roles or ClusterRoles that are bound to a user or service account.
For example, this will print the Roles and ClusterRoles for the default ServiceAccount.
rbac-tool lookup default
SUBJECT | SUBJECT TYPE | SCOPE | NAMESPACE | ROLE
+---------------------------------+----------------+-------------+-----------------------+-----------------------------------------------------------------+
default | ServiceAccount | ClusterRole | | cluster-admin
default | ServiceAccount | Role | openshift-marketplace | 29517457e658582846e43460363c3ffde708b018f636a66cc7e33076254bff4
default | ServiceAccount | ClusterRole | rook-ceph | psp:rook
system:serviceaccounts:default | Group | ClusterRole | default | system:image-puller
Display RBAC Policies
Use the policy-rules command to see all resources and RBAC rules granted to a specific user or service account.
rbac-tool policy-rules system:serviceaccounts:default
TYPE | SUBJECT | VERBS | NAMESPACE | API GROUP | KIND | NAMES | NONRESOURCEURI | ORIGINATED FROM
+-------+--------------------------------+-------+-----------+--------------------+---------------------+-------+----------------+-----------------------------------+
Group | system:serviceaccounts:default | get | default | core | imagestreams/layers | | | ClusterRoles>>system:image-puller
Group | system:serviceaccounts:default | get | default | image.openshift.io | imagestreams/layers | | | ClusterRoles>>system:image-puller
ivandov
- 619
- 8
- 14
6
I think you are looking for command: kubectl auth can-i --list and kubectl auth can-i --list --as=[user-name]
Sample output:
kubectl auth can-i --list
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
persistentvolumeclaims [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods [] [] [get list watch create delete deletecollection patch update]
events [] [] [get list watch]
pods/log [] [] [get list watch]
configmaps [] [] [get watch list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [global-unrestricted-psp] [use]
rok
- 9,403
- 17
- 70
- 126
1
Get the Role name which bound to the serviceaccount default using the following command.
kubectl get rolebinding --output=yaml or kubectl get clusterrolebinding --output=yaml
Now get the role config using
kubectl get role rolenamefrompreviouscommands
joseph
- 940
- 10
- 19
0
In Kubernetes, service account is mapped to privileges (cluster level or namespace level) using ClusterRoleBinding object. You need to lookup the RoleBinding or ClusterRoleBinding object and then look up the Role or ClusterRole object to see what privileges it has in the cluster.
Shudipta Sharma
- 5,178
- 3
- 19
- 33
P Ekambaram
- 15,499
- 7
- 34
- 59