i'm playing around a bit with kind, i was wondering why my service accounts "klubectl auth can-i" output won't be affected by given roles. Steps to reproduce, starting with a basic kind environment:
kind create cluster --config kind-example-config.yaml
whereas the yaml is:
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
# patch the generated kubeadm config with some extra settings
kubeadmConfigPatches:
- |
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
evictionHard:
nodefs.available: "0%"
# patch it further using a JSON 6902 patch
kubeadmConfigPatchesJSON6902:
- group: kubeadm.k8s.io
version: v1beta3
kind: ClusterConfiguration
patch: |
- op: add
path: /apiServer/certSANs/-
value: my-hostname
# 1 control plane node and 3 workers
nodes:
# the control plane node config
- role: control-plane
# the three workers
- role: worker
- role: worker
- role: worker
Then create test namespace:
kubectl create ns test-namespace
...then switch to ns:
kubectl config set-context --current --namespace=test-namespace
create a sa:
kubectl create sa shopping-api
creating a role (i'll put direcly the yaml):
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: test-namespace
name: shopping-api
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
and finally a rolebinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: shopping-api
namespace: test-namespace
subjects:
- kind: ServiceAccount
name: shopping-api
roleRef:
kind: Role
name: shopping-api
apiGroup: rbac.authorization.k8s.io
Now...if in this situation i try:
kubectl auth can-i --list --as=shopping-api --namespace=test-namespace
it's same as when it was created:
Resources Non-Resource URLs Resource Names Verbs
selfsubjectreviews.authentication.k8s.io [] [] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
and if I check if, for example, i could list pods this is the result:
E:\Development\k8s.lab>kubectl auth can-i list pod --as=shopping-api
no
I'm missing something, please point me in the right direction to understand what's going on, since in the pods apigroup I've clearly stated "list" as perfectly legit for this role.
Ok, it was working from the beginning, i wasn't aware of special syntax for sa can-i as written here
so, in my case it turns out like this:
kubectl auth can-i --list --as=system:serviceaccount:test-namespace:shopping-api --namespace=test-namespace