kubernetesrbackind

K8s rbac - Service Account missing capabilities


i'm playing around a bit with kind, i was wondering why my service accounts "klubectl auth can-i" output won't be affected by given roles. Steps to reproduce, starting with a basic kind environment:

kind create cluster --config kind-example-config.yaml

whereas the yaml is:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
# patch the generated kubeadm config with some extra settings
kubeadmConfigPatches:
- |
  apiVersion: kubelet.config.k8s.io/v1beta1
  kind: KubeletConfiguration
  evictionHard:
    nodefs.available: "0%"
# patch it further using a JSON 6902 patch
kubeadmConfigPatchesJSON6902:
- group: kubeadm.k8s.io
  version: v1beta3
  kind: ClusterConfiguration
  patch: |
    - op: add
      path: /apiServer/certSANs/-
      value: my-hostname
# 1 control plane node and 3 workers
nodes:
# the control plane node config
- role: control-plane
# the three workers
- role: worker
- role: worker
- role: worker

Then create test namespace:

kubectl create ns test-namespace

...then switch to ns:

kubectl config set-context --current --namespace=test-namespace

create a sa:

kubectl create sa shopping-api

creating a role (i'll put direcly the yaml):

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: test-namespace
  name: shopping-api
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

and finally a rolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: shopping-api
  namespace: test-namespace
subjects:
- kind: ServiceAccount
  name: shopping-api
roleRef:
  kind: Role
  name: shopping-api
  apiGroup: rbac.authorization.k8s.io

Now...if in this situation i try:

kubectl auth can-i --list --as=shopping-api --namespace=test-namespace

it's same as when it was created:

Resources                                       Non-Resource URLs   Resource Names   Verbs
selfsubjectreviews.authentication.k8s.io        []                  []               [create]
selfsubjectaccessreviews.authorization.k8s.io   []                  []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                  []               [create]
                                                [/api/*]            []               [get]
                                                [/api]              []               [get]
                                                [/apis/*]           []               [get]
                                                [/apis]             []               [get]
                                                [/healthz]          []               [get]
                                                [/healthz]          []               [get]
                                                [/livez]            []               [get]
                                                [/livez]            []               [get]
                                                [/openapi/*]        []               [get]
                                                [/openapi]          []               [get]
                                                [/readyz]           []               [get]
                                                [/readyz]           []               [get]
                                                [/version/]         []               [get]
                                                [/version/]         []               [get]
                                                [/version]          []               [get]
                                                [/version]          []               [get]

and if I check if, for example, i could list pods this is the result:

E:\Development\k8s.lab>kubectl auth can-i list pod --as=shopping-api
no

I'm missing something, please point me in the right direction to understand what's going on, since in the pods apigroup I've clearly stated "list" as perfectly legit for this role.


Solution

  • Ok, it was working from the beginning, i wasn't aware of special syntax for sa can-i as written here

    so, in my case it turns out like this:

    kubectl auth can-i --list --as=system:serviceaccount:test-namespace:shopping-api --namespace=test-namespace