PP:
Hi All,
I am trying to create a serviceaccount, clusterrole and clusterrolebinding. Then checking the serviceaccount has access or not?
k create sa mysa
k create clusterrole create-role --resource=pv --verb=create
k create clusterrolebinding create-role-binding --clusterrole=create-role --serviceaccount=default:mysa
k auth can-i create pv --as system:serviceaccount:default:mysa # Always returning yes (even when the serviceaccount i.e,mysa was not created)
Can someone help me how to check access for serviceaccount?
Prasanna D M:
Use “k auth can-i --list --as system:serviceaccount:default:mysa” to check complete access to mysa
PP:
@Prasanna D M Do you know why am I getting always getting YES for any name given as service account name(which did not created also)?
Prasanna D M:
check the above set command to check, whether the user has permission to all resource(.) with all* verbs(8
Tej_Singh_Rana:
Hello, @PP
Please list all the permissions associated with that SA.
k auth can-i --list --as system:serviceaccount:default:mysa
Maybe other groups bound with the serviceaccount groups that’s why by default, creation of sa, every time getting default all permissions.
PP:
@Tej_Singh_Rana
controlplane $ k auth can-i --list --as system:serviceaccount:default:mysa
Resources Non-Resource URLs Resource Names Verbs
. [] [] []
[] [] []
persistentvolumes [] [] [create]
http://selfsubjectaccessreviews.authorization.k8s.io|selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
http://selfsubjectrulesreviews.authorization.k8s.io|selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/] [] [get]
[/api] [] [get]
[/apis/] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Below ‘pp’ is not a service account but still i see same permissions. I believe kubectl is not at all bother about the name given at last i.e., name
controlplane $ k auth can-i --list --as system:serviceaccount:default:pp
Resources Non-Resource URLs Resource Names Verbs
. [] [] []
[] [] []
http://selfsubjectaccessreviews.authorization.k8s.io|selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
http://selfsubjectrulesreviews.authorization.k8s.io|selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/] [] [get]
[/api] [] [get]
[/apis/] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Tej_Singh_Rana:
Hello, @PP
Please take a look into past discussions.
https://kodekloud.com/community/t/hi-guys-when-i-create-a-service-account-and-test-its-permissions-without-associ/15020
It will clear your doubts. Try to troubleshoot why it’s getting all the permissions. It’s hidden in the clusterrolebinding.
PP:
Thanks @Tej_Singh_Rana that was a good discussion. I read but forgot about it. Thanks again for reminding me. Now I am clear.