ReadWrite
paint-brush
Kubernetes Explained Simply: #3 What Do I Have Permissions For?by@jameshunt
436 reads
436 reads

Kubernetes Explained Simply: #3 What Do I Have Permissions For?

by James Hunt
James Hunt HackerNoon profile picture

James Hunt

@jameshunt

R&D at Stark & Wayne, finding software solutions to customer...

November 24th, 2020
Read on Terminal Reader
Read this story in a terminal
Print this story
Print this story
Read this story w/o Javascript
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Kubernetes Explained Simply: #3 What Do I Have Permissions For? Nothing gets done via the API that isn't governed by some sort permission or another. Per-deployment service accounts, named user access credentials, and project-specific namespaces make it hard to know which permissions you have been granted. Check out the video and learn you some access control! You can also just ask the API to see if a given action is allowed: $ kubectl auth can-i get pods -n default yes.
featured image - Kubernetes Explained Simply: #3 What Do I Have Permissions For?
James Hunt HackerNoon profile picture
James Hunt

James Hunt

@jameshunt

R&D at Stark & Wayne, finding software solutions to customer problems and changing them into executable best practices.

About @jameshunt
LEARN MORE ABOUT @JAMESHUNT'S
EXPERTISE AND PLACE ON THE INTERNET.

Stretching as far back as version 1.8 (in September of 2017), Kubernetes has supported a fine-grained access control mechanism called RBAC.  Nothing gets done via the Kubernetes API that isn't governed by some sort permission or another, and there are a lot of them.

Couple that with per-deployment service accounts, named user access credentials, and project-specific namespaces, and you've got the makings of a complex authorization scenario.

At times, you'll wonder precisely which permissions you, or a service account you use, have been granted – that's when you should reach for 

kubectl auth can-i
.

To see everything you can do:

$ kubectl auth can-i --list
Resources                                       Non-Resource URLs   Resource Names   Verbs
*.*                                             []                  []               [*]
                                                [*]                 []               [*]
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/livez]            []               [get]
                                                [/livez]            []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/readyz]           []               [get]
                                                [/readyz]           []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]

You can also just ask the API to see if a given action is allowed:

$ kubectl auth can-i get pods -n default
yes

$ kubectl auth can-i get pods -n kube-system
yes

$ echo $?
0

These commands exit 0 if such access would be allowed, and 1 if not, making them handy for use inside of shell scripts or other automation:

if ! kubectl auth can-i create secrets; then
  echo >&2 "You cannot create secrets.  Please contact your k8s admin."
  exit 4
fi
# etc.

Check out the Video!

Want more?  Curious what happens when an unprivileged 

ServiceAccount
 is involved?  Then check out the video and learn you some access control!

Previously published at https://starkandwayne.com/blog/silly-kubectl-trick-3-what-do-i-have-permissions-for/

Spacecoin
L O A D I N G
. . . comments & more!

About Author

James Hunt HackerNoon profile picture
James Hunt@jameshunt
R&D at Stark & Wayne, finding software solutions to customer problems and changing them into executable best practices.
Read my storiesAbout @jameshunt

TOPICS

purcat-imgprogramming #kubernetes #opensource #open-source #tutorial #kubectl #k8s #containers #hackernoon-top-story

THIS ARTICLE WAS FEATURED IN...

Arweave
Read on Terminal Reader
Read this story in a terminal
 Terminal
Read this story w/o Javascript
Read this story w/o Javascript
 Lite
Also published here
Learnrepo
Immobilien-finanztip
Com
Hashnode
Learnrepo
Learnrepo

RELATED STORIES

Article Thumbnail
Kubernetes Explained Simply: #1 Kubectl Hack
by jameshunt
Nov 16, 2020
#kubernetes
Article Thumbnail
105 Stories To Learn About K8s
by learn
Aug 14, 2023
#k8s
Article Thumbnail
10 Best Practices for Using Kubernetes Network Policies
by emoila
Mar 14, 2023
#kubernetes
Article Thumbnail
1 Stories To Learn About Weekly Sponsor
by learn
Jan 16, 2024
#weekly-sponsor
Article Thumbnail
3 Free Ways to Learn Kubernetes and Red Hat OpenShift
by drnugent
Nov 03, 2021
#kubernetes
Join HackerNoonloading
Latest technology trends. Customized Experience. Curated Stories. Publish Your Ideas