Menu
Is there a way with kubectl to find out which clusterroles or roles are bound to the service account?
501
In Kubernetes, service account is mapped to privileges (cluster level or namespace level) using ClusterRoleBinding object. You need to lookup the RoleBinding or ClusterRoleBinding object and then look up the Role or ClusterRole object to see what privileges it has in the cluster.
You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . rbac.authorization.k8s.io/v1 .
A role binding grants the permissions defined in a role to a user or set of users. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A RoleBinding grants permissions within a specific namespace whereas a ClusterRoleBinding grants that access cluster-wide.
You could do something like:
kubectl get rolebindings,clusterrolebindings \
--all-namespaces \
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name' | grep "<SERVICE_ACCOUNT_NAME>"
Replace the grep with then name of the service account you are looking for.
102
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
