Silly Kubectl Trick #3: What Do I Have Permissions For?
Let's face it; there are lots of permissions in Kubernetes RBAC, and it sure would be nice if we could enumerate theme. We go over the ones you need to know!
Join the DZone community and get the full member experience.Join For Free
Stretching as far back as version 1.8 (in September of 2017), Kubernetes has supported a fine-grained access control mechanism called RBAC. Nothing gets done via the Kubernetes API that isn't governed by some sort permission or another, and there are a lot of them.
Couple that with per-deployment service accounts, named user access credentials, and project-specific namespaces, and you've got the makings of a complex authorization scenario.
At times, you'll wonder precisely which permissions you, or a service account you use, have been granted – that's when you should reach for
kubectl auth can-i.
To see everything you can do, try the following:
You can also just ask the API to see if a given action is allowed:
These commands exit 0 if such access would be allowed, and 1 if not, making them handy for use inside of shell scripts or other automation:
Check Out the Video!
Want more? Curious what happens when an unprivileged
ServiceAccount is involved? Then check out the video and learn you some access control!
Published at DZone with permission of . See the original article here.
Opinions expressed by DZone contributors are their own.