Hi All, I am trying to create a serviceaccount, clusterrole and clusterrolebind . . .

PP:
Hi All,

I am trying to create a serviceaccount, clusterrole and clusterrolebinding. Then checking the serviceaccount has access or not?

k create sa mysa
k create clusterrole create-role --resource=pv --verb=create
k create clusterrolebinding create-role-binding --clusterrole=create-role --serviceaccount=default:mysa
k auth can-i create pv --as system:serviceaccount:default:mysa # Always returning yes (even when the serviceaccount i.e,mysa was not created)

Can someone help me how to check access for serviceaccount?

Prasanna D M:
Use “k auth can-i --list --as system:serviceaccount:default:mysa” to check complete access to mysa

PP:
@Prasanna D M Do you know why am I getting always getting YES for any name given as service account name(which did not created also)?

Prasanna D M:
check the above set command to check, whether the user has permission to all resource(.) with all* verbs(8

Tej_Singh_Rana:
Hello, @PP
Please list all the permissions associated with that SA.

k auth can-i --list --as system:serviceaccount:default:mysa

Maybe other groups bound with the serviceaccount groups that’s why by default, creation of sa, every time getting default all permissions.

PP:
@Tej_Singh_Rana

controlplane $ k auth can-i --list --as system:serviceaccount:default:mysa
Resources Non-Resource URLs Resource Names Verbs
. [] [] []
[
] [] []
persistentvolumes [] [] [create]
http://selfsubjectaccessreviews.authorization.k8s.io|selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
http://selfsubjectrulesreviews.authorization.k8s.io|selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/
] [] [get]
[/api] [] [get]
[/apis/] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/
] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]

Below ‘pp’ is not a service account but still i see same permissions. I believe kubectl is not at all bother about the name given at last i.e., name

controlplane $ k auth can-i --list --as system:serviceaccount:default:pp
Resources Non-Resource URLs Resource Names Verbs
. [] [] []
[
] [] []
http://selfsubjectaccessreviews.authorization.k8s.io|selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
http://selfsubjectrulesreviews.authorization.k8s.io|selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/
] [] [get]
[/api] [] [get]
[/apis/] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/
] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]

Tej_Singh_Rana:
Hello, @PP
Please take a look into past discussions.
https://community.kodekloud.com/t/hi-guys-when-i-create-a-service-account-and-test-its-permissions-without-associ/15020
It will clear your doubts. Try to troubleshoot why it’s getting all the permissions. It’s hidden in the clusterrolebinding.

PP:
Thanks @Tej_Singh_Rana that was a good discussion. I read but forgot about it. Thanks again for reminding me. Now I am clear.