Hackernoon logoKubernetes Explained Simply: #3 What Do I Have Permissions For? by@jameshunt

Kubernetes Explained Simply: #3 What Do I Have Permissions For?

image
James Hunt Hacker Noon profile picture

@jameshuntJames Hunt

R&D at Stark & Wayne, finding software solutions to customer problems and changing them into executable best practices.

Stretching as far back as version 1.8 (in September of 2017), Kubernetes has supported a fine-grained access control mechanism called RBAC.  Nothing gets done via the Kubernetes API that isn't governed by some sort permission or another, and there are a lot of them.

Couple that with per-deployment service accounts, named user access credentials, and project-specific namespaces, and you've got the makings of a complex authorization scenario.

At times, you'll wonder precisely which permissions you, or a service account you use, have been granted – that's when you should reach for

kubectl auth can-i
.

To see everything you can do:

$ kubectl auth can-i --list
Resources                                       Non-Resource URLs   Resource Names   Verbs
*.*                                             []                  []               [*]
                                                [*]                 []               [*]
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/livez]            []               [get]
                                                [/livez]            []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/readyz]           []               [get]
                                                [/readyz]           []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]

You can also just ask the API to see if a given action is allowed:

$ kubectl auth can-i get pods -n default
yes

$ kubectl auth can-i get pods -n kube-system
yes

$ echo $?
0

These commands exit 0 if such access would be allowed, and 1 if not, making them handy for use inside of shell scripts or other automation:

if ! kubectl auth can-i create secrets; then
  echo >&2 "You cannot create secrets.  Please contact your k8s admin."
  exit 4
fi
# etc.

Check out the Video!

Want more?  Curious what happens when an unprivileged

ServiceAccount
 is involved?  Then check out the video and learn you some access control!

Previously published at https://starkandwayne.com/blog/silly-kubectl-trick-3-what-do-i-have-permissions-for/

James Hunt Hacker Noon profile picture
by James Hunt @jameshunt. R&D at Stark & Wayne, finding software solutions to customer problems and changing them into executable best practices. Read my stories

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.