1

I am able to list, get pods, secrets, deployments and many other resources. I have cluster wide access for many resources. Is there some way to see the consolidated list of all permissions that I have in a kubernetes cluster?

The result of kubectl auth can-i '*' '*' is no though.

Surya
  • 2,429
  • 1
  • 21
  • 42

2 Answers2

2

I don't think it is possible to get a consolidated list of all permissions that you have in a k8s cluster.

Looking at the help & examples for the kubectl auth can-i command it needs a VERB which is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. and a TYPE which is a Kubernetes resource.

The result of kubectl auth can-i '*' '*' is understandably no as it checks if you can do everything in your current namespace - which evidently is not true in your case and thus the no response.

You will need to run kubectl auth can-i for each resource and each action that you want to check (of course you would be able to use -A or --all-namespaces flag for all namespaces) but I would imagine you can write a script to run a loop on this command for all/some resources to check permissions for all/some actions.

Update:

If you'd really want to, you could run a script to loop through certain kubectl cmds to achieve this.

The script would (could) look like:

#!/bin/bash
for namespace in $(kubectl get namespaces | awk '{ print $1 }' | tail -n +2); do
  echo "Current namespace: $namespace"
  for resource in $(kubectl api-resources --verbs=list --namespaced -o name); do
    for action in get list watch create update patch delete; do
      echo "- $action $resource"
      kubectl auth can-i "$action" "$resource" --namespace="$namespace"
    done
  done
done

Note: There could be variations of how you do this in bash.

I'll explain a bit:

  • Firstly, we're fetching all the namespaces, printing only the 1st column, and -n +2 basically means “start passing through on the second line of output”.
  • Next, we're fetching most (if not all) resource types available in your cluster. Picked up from here.
  • Iterating through a few common actions supported in K8s. Found most (if not all) on this page.
  • And then just run kubectl auth can-i cmd on each resource, action, and namespace we got in the earlier commands.

While it works, it takes a lot of time as we have a lot of namespaces and you'd have to go through a lot of output to find something or you would end up redirecting the output to a file and searching for fields.

Realistically, you would wanna run it only on a few namespaces at a time to check on a few actions on a few resources.

Something like this:

#!/bin/bash
for namespace in default calico-system; do
  echo "Current namespace: $namespace"
  for resource in pods deployments.apps; do
    for action in get create; do
      echo "- $action $resource"
      kubectl auth can-i "$action" "$resource" --namespace="$namespace"
    done
  done
done

It is a lot faster and would help you easily find what you're looking for.

Sample output:

Current namespace: default
- get pods
yes
- create pods
no
- get deployments.apps
yes
- create deployments.apps
no
Current namespace: calico-system
- get pods
yes
- create pods
no
- get deployments.apps
yes
- create deployments.apps
no

Hope it helps!

rock'n rolla
  • 1,883
  • 1
  • 13
  • 19
0

you can try with the command : kubectl auth can-i --list or kubectl auth can-i --list --as=[user-name]

You can also check this documentation

Siegfred V.
  • 1,143
  • 3
  • 12