Hey Guys, I've created service account in different namespace, clusterrole for . . .

Laxminarayana Rajula:
Hey Guys,

I’ve created service account in different namespace, clusterrole for pv and clusterrolebinding. How do we validate that service account using $kubectl auth can-i get command ?

Below are the details :

apiVersion: http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cr
rules:

  • apiGroups: [""]
    resources:
  • persistentvolumes
    verbs: [“list”, “watch”]

apiVersion: http://rbac.authorization.k8s.io/v1beta1|rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: crb
roleRef:
apiGroup: http://rbac.authorization.k8s.io|rbac.authorization.k8s.io
kind: ClusterRole
name: cr
subjects:

  • kind: ServiceAccount
    name: test-sr
    namespace: test-ns

$k auth can-i list pv --as=system:serviceaccount:test-ns:test-sr -n test-ns
$k auth can-i list pvc --as=system:serviceaccount:test-ns:test-sr -n test-ns

both giving yes

Tej_Singh_Rana:
Hello, @Laxminarayana Rajula
When you will run the below command:

$ kubectl auth can-i --list --as=system:serviceaccount:test-ns:test-sr -n test-ns

You will see permissions list.

Tej_Singh_Rana:
That means SA group bound with the other group and it has full admin privileges’.

Laxminarayana Rajula:
thanks @Ravi Teja