Is there a way to find the RoleBinding/ClusterRoleBinding related to a serviceAccount?

Question

In kubernetes, is there a way to find the RoleBinding/ClusterRoleBinding related to a serviceAccount without traversing all of the bindings?

This is very helpful when trying to solve problems related to authentication a Pod uses to request APIServer.

Answer 1

As mentioned, there is no simple way to do this with kubectl but it is technically supported. You can pass Custom Columns to control the resultant STDOUT to produce the information you're interested in. Then you can either specify the -A argument to search all namespaces or use the -n specificNamespace argument. Lastly, you can then grep the resultant STDOUT of the command to filter it accordingly if necessary.

For example, if I grab all of the bindings from the kubernetes-dashboard I could run this command:

$> kubectl get rolebindings,clusterrolebindings \
      -n kubernetes-dashboard \
      -o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name' | wc -l
64

As you can see, I piped it in wc because over 60 results were returned and that would be awful to post on StackOverflow. However, if you use grep instead then you can easily retrieve more granular results. For example, this tweaked command shows that there is one CRB for the tj ServiceAccount resource.

$> kubectl get rolebindings,clusterrolebindings \
     -n kubernetes-dashboard \
     -o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name' | grep tj
ClusterRoleBinding   <none>                 tj                                                     tj

You could then set up a shell alias to simplify this going forward:

$> alias getbindings="kubectl get rolebindings,clusterrolebindings   -n kubernetes-dashboard    -o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind==\"ServiceAccount\")].name' | grep"

$> getbindings tj
ClusterRoleBinding   <none>                 tj                                                     tj

Alternatively, you could even turn it into a function which accepts two arguments, one Namespace and one ServiceAccount. Which then effectively creates your own solution to the feature request you have made. For example:

$> tail -n 6 ~/.bashrc
function get_bindings(){

    kubectl get rolebindings,clusterrolebindings \
      -n $1 \
      -o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name' | grep $2
}

$> get_bindings "kubernetes-dashboard" "tj"
ClusterRoleBinding   <none>                 tj                                                     tj

Hope this helps.