-1

Currently, I have an ABAC policy that gives "system:autheticated" all access. K8s starts up fine when I have this defined, but if I remove it, K8s doesn't start up. I'm trying to find out what namespaces, service accounts, groups, users, etcs are being used on my K8s cluster so I can define a specific set of users/groups in the ABAC policy.

How can I get the groups and users in the K8s cluster? I'm using "kubectl --namespace=kube-system get serviceaccounts" to get the serviceaccounts... but where are the groups and users defined?

hyperstack
  • 29
  • 1
  • 4

1 Answers1

0

For Groups you might try (example for "system:masters"):

kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.subjects[0].kind=="Group") | select(.subjects[0].name=="system:masters") | .metadata.name'

Also, you can read all the namespaces at once adding --all-namespaces=true inside the kubectl command.

You should also check all local files for policies that might be applied.

Here is Kubernetes documentation regarding Using ABAC Authorization

As for users, I was only able to find a way of checking if a particular user is able, for example, to create a deployment in a namespace:

$ kubectl auth can-i create deployments --namespace dev
yes
$ kubectl auth can-i create deployments --namespace prod
no
Black_Bacardi
  • 324
  • 4
  • 10
Crou
  • 10,232
  • 2
  • 26
  • 31
  • I'm looking for an entire list of users/groups on a K8s cluster. There are system users/groups by default... you need to gives these default users/groups rules in the policies file but there are not specific lists of these users/groups. For the command you gave, you have to know the users/groups before using the command, so that doesn't do anything to retrieve all users/groups in the system. – hyperstack Mar 06 '19 at 02:26