One can create Role or ClusterRole and assign it to user via RoleBinding or ClusterRoleBinding.
from user view that have a token, how to get all granted permissions or roles\rolebindings applied to him via kubectl?
Asked
Active
Viewed 2.7k times
17
wtayyeb
- 1,879
- 2
- 18
- 38
2 Answers
28
# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
# Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.extensions
you can get further information with kubectl auth --help command
You can also impersonate as a different user to check their permission with the following flag --as or --as-group
kubectl auth can-i create deployments --namespace default --as john.cena
Suresh Vishnoi
- 17,341
- 8
- 47
- 55
-
Can I figure ou somehowt where all these permissions come from? – Pithikos Mar 03 '23 at 16:48
-
all of these permission are part of the role/clusterrole. you can get the role and see the rules inside, for example, `kubectl get role $ADMIN -o yaml` – Suresh Vishnoi Mar 03 '23 at 17:38
16
I think you are looking for command kubectl auth can-i --list for listing all user permissions:
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
persistentvolumeclaims [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods [] [] [get list watch create delete deletecollection patch update]
events [] [] [get list watch]
pods/log [] [] [get list watch]
configmaps [] [] [get watch list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
podsecuritypolicies.policy [] [global-unrestricted-psp] [use]
You can also see another user permissions by adding --as=[user-name]
For example: kubectl auth can-i --list --as=jenkins
As for more granular information of roles, cluster roles per service account or specific actions (verbs) allowed to performed on specific resources refer to this answer.
rok
- 9,403
- 17
- 70
- 126