8

I am looking to output a comma separated list of all user accounts from Kubernetes.

I understand that one can return a list of namespaces, pods, and so on from Kubernetes using the 'kubectl get namespace' and 'kubectl get pods' command. However, is there an equivalent for returning a list of Kubernetes users?

Currently, I can see a list of all of the user account and their respective names, emails, and IDs from within Kubernetes via our management platform Rancher but, the problem is, I can't seem to find a way to return a comma-separated list of these users via the command line through Kubectl or Powershell.

Kerbol
  • 588
  • 2
  • 9
  • 24

5 Answers5

6

This really depends on your k8s setup and rbac model.

I would suggest that you look at the objects talked about here https://kubernetes.io/docs/reference/access-authn-authz/rbac/

In the end, the commands you probably want are:

kubectl get clusterroles.rbac.authorization.k8s.io --all-namespaces
kubectl get roles.rbac.authorization.k8s.io --all-namespaces
Shlomi
  • 33
  • 7
Josh Beauregard
  • 2,498
  • 2
  • 20
  • 37
  • 3
    Clusterroles are not namespaced anyway and also users are different than roles/clusterroles. That does not answer the question in any way. – DimiDak Jan 04 '23 at 13:41
0

You can use the below command to get the list of users in the kubernetes environment.

kubectl config get-users
DimiDak
  • 4,820
  • 2
  • 26
  • 32
giriraj_rajawat
  • 33
  • 1
  • 9
    This will only return users from your local config file. not from the k8s cluster itself. – Pav K. Oct 20 '22 at 06:37
0

In kubernetes nomenclature users are called serviceaccounts. To get the list of all serviceaccounts from all namespaces the command you are looking for is -

kubectl get serviceaccounts -A
ashishpm
  • 408
  • 1
  • 6
  • 19
0

It would seem that there is no centralized way of finding an authoritative list of users on the "server" side (cluster), versus suggestions previously stated on this page of seeing which users an individual client has set in their .kube/config file. As, the documentation states:

It is assumed that a cluster-independent service manages normal users [...] Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

As far as I have been able to tell, the only reference to non-SA users appears to be when specifying "User" while defining RoleBinding and ClusterRoleBinding. However, my assumption is that since you cannot add a user through a normal API call, you most likely cannot get a list of 'users' from the API either. Again, "Kubernetes does not have objects which represent normal user accounts."

For what it is worth, ChatGPT suggested using kubectl get users and kubectl get groups. I am assuming it incorrectly picked up these suggestions from maybe this 2021 Rancher forum article (you will notice the kubectl 'get' command for what appears to be a period delineated CRD that begins with user.rancher.[...]): https://forums.rancher.com/t/kubectl-command-to-return-a-list-of-all-user-accounts-from-rancher-security-accounts-users/36171

The answer given in that article also reinforces the concept from the K8s doc. In any case, as of v1.26, it appears the concept of 'users' is still deliberately detached from the Kubernetes control plane as much as possible.

Gregory Martin
  • 513
  • 5
  • 8
-2

You can try the following command to print all existing users on the current config:

kubectl config view -o json  | jq ".users" | grep "name" | awk '{print $2}' | tr -d "\"" | tr -d ","
Daniel Mandelblat
  • 131
  • 2
  • 4
  • 4
    Word of Caution, this will only list users present in the current kubeconfig not the entire cluster. – P.... Oct 30 '22 at 23:10