I tried with the kubectl get sa default
command, but only see some very basic values. What's the command to view the permissions/roles associated with a specific service account in k8s?
We will also assume that RBAC has been enabled in your cluster through the --authorization-mode=RBAC option in your Kubernetes API server. You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . rbac.authorization.k8s.io/v1 .
Use the lookup command to see all Roles or ClusterRoles that are bound to a user or service account. For example, this will print the Roles and ClusterRoles for the default ServiceAccount .
The following command could help. It basically gets the RoleBindings and ClusterRoleBindings which .subjects[0] is the name of the ServiceAccount.
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="SERVICE_ACCOUNT_NAME")]}[{.roleRef.kind},{.roleRef.name}]{end}'
Note: it will not list the RoleBindings / ClusterRoleBindings which contain several objects in the subject field
For instance, if weave-net is deployed as the network plugin, you can get the Role and ClusterRole used by the weave-net ServiceAccount:
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="weave-net")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,weave-net][ClusterRole,weave-net]
Hope this helps.
kubectl get rolebindings,clusterrolebindings \
--all-namespaces \
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name'
you can try this command to generate a table to show the mapping
The issue with all the answers above is that they rely on you doing additional legwork to then compile all of the RoleBindings
and/or ClusterRoleBindings
and any duplicate policies that are granted by them into one master list you can reference for a given user/group/serviceaccount.
After a good deal of searching, I found rbac-tool
.
Use the lookup
command to see all Roles
or ClusterRoles
that are bound to a user or service account.
For example, this will print the Roles
and ClusterRoles
for the default
ServiceAccount
.
rbac-tool lookup default
SUBJECT | SUBJECT TYPE | SCOPE | NAMESPACE | ROLE
+---------------------------------+----------------+-------------+-----------------------+-----------------------------------------------------------------+
default | ServiceAccount | ClusterRole | | cluster-admin
default | ServiceAccount | Role | openshift-marketplace | 29517457e658582846e43460363c3ffde708b018f636a66cc7e33076254bff4
default | ServiceAccount | ClusterRole | rook-ceph | psp:rook
system:serviceaccounts:default | Group | ClusterRole | default | system:image-puller
Use the policy-rules
command to see all resources and RBAC rules granted to a specific user or service account.
rbac-tool policy-rules system:serviceaccounts:default
TYPE | SUBJECT | VERBS | NAMESPACE | API GROUP | KIND | NAMES | NONRESOURCEURI | ORIGINATED FROM
+-------+--------------------------------+-------+-----------+--------------------+---------------------+-------+----------------+-----------------------------------+
Group | system:serviceaccounts:default | get | default | core | imagestreams/layers | | | ClusterRoles>>system:image-puller
Group | system:serviceaccounts:default | get | default | image.openshift.io | imagestreams/layers | | | ClusterRoles>>system:image-puller
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With