is there Python client API for 'kubectl auth can-i --list'

Question

I am trying to list permissions associated to a service account 'foobar-user' applied to my cluster in namespace 'kube-system':

kubectl auth can-i --list --as=system:serviceaccount:kube-system:foobar-user --namespace=kube-system

Resources                                       Non-Resource URLs                     Resource Names     Verbs
clusterroles                                    []                                    []                 [create list update watch get]
deployments                                     []                                    []                 [create list update watch get]
endpoints                                       []                                    []                 [create list update watch get]
pods                                            []                                    []                 [create list update watch get]
rolebindings                                    []                                    []                 [create list update watch get]
roles                                           []                                    []                 [create list update watch get]
secrets                                         []                                    []                 [create list update watch get]
services                                        []                                    []                 [create list update watch get]
selfsubjectaccessreviews.authorization.k8s.io   []                                    []                 [create]
selfsubjectrulesreviews.authorization.k8s.io    []                                    []                 [create]
                                                [/.well-known/openid-configuration]   []                 [get]
                                                [/api/*]                              []                 [get]
                                                [/api]                                []                 [get]
                                                [/apis/*]                             []                 [get]
                                                [/apis]                               []                 [get]
                                                [/healthz]                            []                 [get]
                                                [/healthz]                            []                 [get]
                                                [/livez]                              []                 [get]
                                                [/livez]                              []                 [get]
                                                [/openapi/*]                          []                 [get]
                                                [/openapi]                            []                 [get]
                                                [/openid/v1/jwks]                     []                 [get]
                                                [/readyz]                             []                 [get]
                                                [/readyz]                             []                 [get]
                                                [/version/]                           []                 [get]
                                                [/version/]                           []                 [get]
                                                [/version]                            []                 [get]
                                                [/version]                            []                 [get]
nodes                                           []                                    []                 [list watch get]

What is an equivalent API to do this through Python client for kubernetes to list permissions associated to a service account? Appreciate your help, thanks!

Any question of "kubectl does this, but what is the API for it?" is answered by dialing up the verbosity as `kubectl --v=100 auth can-i` and then mimicking its HTTP requests using the API binding of your choice — mdaniel, Apr 05 '22 at 03:03

score 1 · Accepted Answer · answered Apr 05 '22 at 16:24

1

The equivalent API to do this through Python client for kubernetes is:

AuthorizationV1Api - create a SelfSubjectRulesReview

The official Kubernetes docs is as follows:

SelfSubjectRulesReview: A review which returns the set of actions a user can perform within a namespace. Useful for users to quickly summarize their own access, or for UIs to hide/show actions.

Checking API Access

answered Apr 05 '22 at 16:24

YwH

1,050
5
11

Thanks for sharing! I tried and have a script which calls the API but I get an HTTP 400 Bad Request error the message: "SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectAccessReview: v1.SelfSubjectAccessReview.Spec: readObjectStart: expect { or n, but found \", error found in #10 byte of ...|{\"spec\": \"foo-bar|..., bigger context ...|{\"spec\": \"foo-bar\"}|..." Any idea on why the request is malformed? – KGosalia Apr 07 '22 at 00:40
@KGosalia I think the error msg says it clear: `"SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectAccessReview: v1.SelfSubjectAccessReview.Spec: readObjectStart: expect { or n, but found \"`, the `spec` part should be a json object, not string. – YwH Apr 07 '22 at 05:16
I see but it is already a python dict. Here's my code snippet: spec = {"namespace": "foo-bar"} with kubernetes.client.ApiClient(configuration) as api_client: api_instance = kubernetes.client.AuthorizationV1Api(api_client) body = kubernetes.client.V1SelfSubjectAccessReview(spec=spec) api_response = api_instance.create_self_subject_access_review(body) pprint(api_response) body = {'api_version': None, 'kind': None, 'metadata': None, 'spec': 'foo-bar', 'status': None} – KGosalia Apr 07 '22 at 19:26
With that I hit the below error: ".authorization.k8s.io \"\" is invalid: spec.resourceAttributes: Invalid value: \"null\": exactly one of nonResourceAttributes or resourceAttributes must be specified" – KGosalia Apr 07 '22 at 19:29
@KGosalia Your spec dict is still invalid, it should look like the object described here: https://github.com/kubernetes-client/python/blob/master/kubernetes/docs/V1SelfSubjectAccessReviewSpec.md – YwH Apr 08 '22 at 03:25
Thanks, figured it out! The request was missing keyworded args – KGosalia Apr 08 '22 at 20:02

is there Python client API for 'kubectl auth can-i --list'

1 Answers1