'How to view the permissions/roles associated with a specific service account in k8s?
I tried with the kubectl get sa default command, but only see some very basic values. What's the command to view the permissions/roles associated with a specific service account in k8s?
Solution 1:[1]
The following command could help. It basically gets the RoleBindings and ClusterRoleBindings which .subjects[0] is the name of the ServiceAccount.
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="SERVICE_ACCOUNT_NAME")]}[{.roleRef.kind},{.roleRef.name}]{end}'
Note: it will not list the RoleBindings / ClusterRoleBindings which contain several objects in the subject field
For instance, if weave-net is deployed as the network plugin, you can get the Role and ClusterRole used by the weave-net ServiceAccount:
$ kubectl get rolebinding,clusterrolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="weave-net")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,weave-net][ClusterRole,weave-net]
Hope this helps.
Solution 2:[2]
kubectl get rolebindings,clusterrolebindings \
--all-namespaces \
-o custom-columns='KIND:kind,NAMESPACE:metadata.namespace,NAME:metadata.name,SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name'
you can try this command to generate a table to show the mapping
Solution 3:[3]
The issue with all the answers above is that they rely on you doing additional legwork to then compile all of the RoleBindings and/or ClusterRoleBindings and any duplicate policies that are granted by them into one master list you can reference for a given user/group/serviceaccount.
After a good deal of searching, I found rbac-tool.
Lookup Bindings
Use the lookup command to see all Roles or ClusterRoles that are bound to a user or service account.
For example, this will print the Roles and ClusterRoles for the default ServiceAccount.
rbac-tool lookup default
SUBJECT | SUBJECT TYPE | SCOPE | NAMESPACE | ROLE
+---------------------------------+----------------+-------------+-----------------------+-----------------------------------------------------------------+
default | ServiceAccount | ClusterRole | | cluster-admin
default | ServiceAccount | Role | openshift-marketplace | 29517457e658582846e43460363c3ffde708b018f636a66cc7e33076254bff4
default | ServiceAccount | ClusterRole | rook-ceph | psp:rook
system:serviceaccounts:default | Group | ClusterRole | default | system:image-puller
Display RBAC Policies
Use the policy-rules command to see all resources and RBAC rules granted to a specific user or service account.
rbac-tool policy-rules system:serviceaccounts:default
TYPE | SUBJECT | VERBS | NAMESPACE | API GROUP | KIND | NAMES | NONRESOURCEURI | ORIGINATED FROM
+-------+--------------------------------+-------+-----------+--------------------+---------------------+-------+----------------+-----------------------------------+
Group | system:serviceaccounts:default | get | default | core | imagestreams/layers | | | ClusterRoles>>system:image-puller
Group | system:serviceaccounts:default | get | default | image.openshift.io | imagestreams/layers | | | ClusterRoles>>system:image-puller
Solution 4:[4]
In Kubernetes, service account is mapped to privileges (cluster level or namespace level) using ClusterRoleBinding object. You need to lookup the RoleBinding or ClusterRoleBinding object and then look up the Role or ClusterRole object to see what privileges it has in the cluster.
Solution 5:[5]
Get the Role name which bound to the serviceaccount default using the following command.
kubectl get rolebinding --output=yaml or kubectl get clusterrolebinding --output=yaml
Now get the role config using
kubectl get role rolenamefrompreviouscommands
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Luc |
| Solution 2 | Andy Wong |
| Solution 3 | |
| Solution 4 | Shudipta Sharma |
| Solution 5 | joseph |