Laxminarayana Rajula:
Hey Guys,
I’ve created service account in different namespace, clusterrole for pv and clusterrolebinding. How do we validate that service account using $kubectl auth can-i get command ?
Below are the details :
apiVersion: http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cr
rules:
- apiGroups: [“”]
resources: - persistentvolumes
verbs: [“list”, “watch”]
apiVersion: http://rbac.authorization.k8s.io/v1beta1|rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: crb
roleRef:
apiGroup: http://rbac.authorization.k8s.io|rbac.authorization.k8s.io
kind: ClusterRole
name: cr
subjects:
- kind: ServiceAccount
name: test-sr
namespace: test-ns
$k auth can-i list pv --as=system:serviceaccount:test-ns:test-sr -n test-ns
$k auth can-i list pvc --as=system:serviceaccount:test-ns:test-sr -n test-ns
both giving yes