Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to view the permissions/roles associated with a specific service account in k8s?

I tried with the kubectl get sa default command, but only see some very basic values. What's the command to view the permissions/roles associated with a specific service account in k8s?

like image 925
injoy Avatar asked Feb 09 '19 01:02

injoy


People also ask

How do I check RBAC permissions in Kubernetes?

We will also assume that RBAC has been enabled in your cluster through the --authorization-mode=RBAC option in your Kubernetes API server. You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . rbac.authorization.k8s.io/v1 .

How do I know if cluster role is binding?

Use the lookup command to see all Roles or ClusterRoles that are bound to a user or service account. For example, this will print the Roles and ClusterRoles for the default ServiceAccount .


3 Answers

The following command could help. It basically gets the RoleBindings and ClusterRoleBindings which .subjects[0] is the name of the ServiceAccount.

$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="SERVICE_ACCOUNT_NAME")]}[{.roleRef.kind},{.roleRef.name}]{end}'

Note: it will not list the RoleBindings / ClusterRoleBindings which contain several objects in the subject field

For instance, if weave-net is deployed as the network plugin, you can get the Role and ClusterRole used by the weave-net ServiceAccount:

$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="weave-net")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,weave-net][ClusterRole,weave-net]

Hope this helps.

like image 117
Luc Avatar answered Oct 28 '22 11:10

Luc


kubectl get rolebindings,clusterrolebindings \
--all-namespaces  \
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name'

you can try this command to generate a table to show the mapping

enter image description here

like image 26
Andy Wong Avatar answered Oct 28 '22 12:10

Andy Wong


The issue with all the answers above is that they rely on you doing additional legwork to then compile all of the RoleBindings and/or ClusterRoleBindings and any duplicate policies that are granted by them into one master list you can reference for a given user/group/serviceaccount.

After a good deal of searching, I found rbac-tool.

Lookup Bindings

Use the lookup command to see all Roles or ClusterRoles that are bound to a user or service account.

For example, this will print the Roles and ClusterRoles for the default ServiceAccount.

rbac-tool lookup default

  SUBJECT                         | SUBJECT TYPE   | SCOPE       | NAMESPACE             | ROLE
+---------------------------------+----------------+-------------+-----------------------+-----------------------------------------------------------------+
  default                         | ServiceAccount | ClusterRole |                       | cluster-admin
  default                         | ServiceAccount | Role        | openshift-marketplace | 29517457e658582846e43460363c3ffde708b018f636a66cc7e33076254bff4
  default                         | ServiceAccount | ClusterRole | rook-ceph             | psp:rook
  system:serviceaccounts:default  | Group          | ClusterRole | default               | system:image-puller

Display RBAC Policies

Use the policy-rules command to see all resources and RBAC rules granted to a specific user or service account.

rbac-tool policy-rules system:serviceaccounts:default

  TYPE  | SUBJECT                        | VERBS | NAMESPACE | API GROUP          | KIND                | NAMES | NONRESOURCEURI | ORIGINATED FROM
+-------+--------------------------------+-------+-----------+--------------------+---------------------+-------+----------------+-----------------------------------+
  Group | system:serviceaccounts:default | get   | default   | core               | imagestreams/layers |       |                | ClusterRoles>>system:image-puller
  Group | system:serviceaccounts:default | get   | default   | image.openshift.io | imagestreams/layers |       |                | ClusterRoles>>system:image-puller
like image 5
ivandov Avatar answered Oct 28 '22 11:10

ivandov