We can check the service accounts in Kubernetes Cluster. Likewise, Is it possible to check the existing users and groups of my Kubernetes cluster with Cluster Admin privileges. If yes then how ? If no then why ?
NOTE: I am using EKS
Asked
Active
Viewed 2,267 times
1
-
Try this command `kubectl get clusterrolebindings | grep "cluster-admin"` and `kubectl get rolebindings -A | grep "cluster-admin"`. Is it what you are looking for? – moonkotte Jul 19 '21 at 14:09
-
Not exactly. I am looking for if there is any specific command/way to see the existing user. For example, you can list all the existing users in your linux machine if you have the access to /etc/passwd file. Something like that. @moonkotte – Aman Jul 19 '21 at 15:54
1 Answers
1
Posting this as a community wiki, feel free to edit and expand.
This won't answer everything, however there are some concepts and ideas.
In short words there's no easy way. It's not possible to do using kubernetes itself. Reason for this is:
All Kubernetes clusters have two categories of users: service accounts managed by Kubernetes, and normal users.
It is assumed that a cluster-independent service manages normal users in the following ways:
- an administrator distributing private keys
- a user store like Keystone or Google Accounts
- a file with a list of usernames and passwords
In this regard, Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.
More details and examples from another answer on SO
As for EKS part which is mentioned, it should be done using AWS IAM in connection to kubernetes RBAC. Below articles about setting up IAM roles in kubernetes cluster. Same way it will be possible to find which role has cluster admin permissions:
If another tool is used for identity managing, it should be used (e.g. LDAP)
moonkotte
- 3,661
- 2
- 10
- 25