Kubernetes RBAC

kubectl get roles -A
kubectl get rolebindings -A
kubectl get clusterroles | head -20
kubectl get clusterrolebindings | head -20

kubectl describe role pod-reader -n default
kubectl describe clusterrole admin
kubectl describe clusterrolebinding cluster-admin

kubectl auth can-i create pods                     # current user
kubectl auth can-i create pods --as=system:serviceaccount:default:myapp
kubectl auth can-i '*' '*'                         # am I cluster-admin?
kubectl auth can-i list secrets -n monitoring --as=jane

kubectl auth can-i --list --as=system:serviceaccount:default:myapp

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list", "watch"]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]

kubectl create rolebinding myapp-pod-reader \
  --role=pod-reader \
  --serviceaccount=default:myapp \
  -n default

kubectl create clusterrolebinding monitoring-reader \
  --clusterrole=view \
  --serviceaccount=monitoring:prometheus

kubectl create serviceaccount myapp -n default
kubectl get serviceaccount -n default

kubectl create token myapp -n default              # short-lived token
kubectl create token myapp -n default --duration=24h

# admin, edit, view are aggregated ClusterRoles
# Adding label rbac.authorization.k8s.io/aggregate-to-view: "true"
# to your ClusterRole automatically merges it into "view"
kubectl get clusterrole view -o yaml | grep -A5 aggregationRule

# Check the error message for the missing permission
# Error: pods is forbidden: User "system:serviceaccount:default:myapp"
#   cannot list resource "pods" in API group "" in the namespace "monitoring"

# Verify bindings exist
kubectl get rolebindings,clusterrolebindings -A | grep myapp